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Smarter  technology  for  a  Smarter  Planet: 

The  cloud  that’s  transforming 
an  industry,  one  fish  at  a  time. 

At  the  University  of  Bari,  a  new  computing  model  is  creating  new  business  models.  Using  an  IBM  SmartCloud,™  their 
team  built  a  solution  that  allows  local  fishermen  to  auction  their  catch  while  still  at  sea.  By  creating  more  demand 
for  the  fishermen’s  product,  the  cloud  has  increased  income  by  25%  while  reducing  time  to  market  by  70%.  Now 
the  team  is  scaling  the  solution  to  create  new  business  models  for  the  winemaking  and  transportation  industries. 
What  can  cloud  do  for  your  business?  A  smarter  planet  is  built  on  smarter  software,  systems  and  services. 

Let’s  build  a  smarter  planet,  ibm.com/cloudsolutions  .  ^  _ 
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[  FROM  THE  EDITOR] 


Cloud  Control 


I  had  the  pleasure  of  sharing  the  stage  at  the 
Cloud  Leadership  Forum  with  John  Howie. 
Howie  is  the  newly  minted  chief  operating 
officer  for  the  Cloud  Security  Alliance.  He 
came  to  the  CSA  after  a  tenure  at  “a  large 
cloud  provider”-very  large  indeed-and  was 
able  to  address  both  my  questions  and  those 
from  the  audience  in  excellent,  useful  detail. 

And  “detail”  seems  to  be  the  key  word 
when  it  comes  to  securing  cloud  comput¬ 
ing.  Between  technical  issues,  governance 
questions,  and  the  ever-present  contractual 
challenges,  you  really  have  to  get  out  your 
magnifying  glass  and  scrutinize  a  lot  of  fine 
print  to  ensure  that  your  business  can  get  all 
of  cloud’s  benefits  without  taking  unexpected 
risks. 

What’s  been  the  area  of  greatest  progress 
in  cloud  security  over  the  past  12  months? 
Identity  and  access  management  (1AM),  Howie 
said.  New  products  from  a  variety  of  vendors, 
including  Symantec  and  Intel,  promise  to  make 
it  easier  to  extend  fine-grained  identity  man¬ 
agement  into  cloud  services.  You’ll  be  able 
to  not  only  activate  new  cloud  services  more 
quickly,  but  to  do  so  with  better  control  over 
access  levels  across  your  workforce. 

What  areas  need  more  attention?  Here 
Howie  pointed  to  several  issues. 

One  is  the  use  of  “free  cloud”  services 
and  their  lack  of  contractual  rigor.  When  your 
employee  stores  data  on  Dropbox  or  Google 
Drive,  his  usage  is  governed  by  an  end  user 
licensing  agreement.  If  the  employee  leaves, 
who  owns  that  data  and  how  can  it  be  used? 

Another  concern  is  how  cloud  services  can 
be  layered.  You  may  purchase  a  cloud  service 
from  one  vendor  that  is  in  fact  using  Amazon 
Web  Services’  public  cloud  as  its  infrastructure. 
If  Amazon  experiences  a  hiccup,  your  service 


goes  down  as  well  (surprise!).  Do  you  know 
exactly  where  your  data  will  live  in  each  cloud 
engagement?  And  do  you  also  know  what  local 
or  international  regulations  might  apply  to 
your  data  in  those  locations? 

And  how  about  documentation  and 
attestation  of  security  controls-do  you  under¬ 
stand  the  nuances  of  the  different  versions  of 
SSAE 16? 


In  this  issue  of  the  magazine,  another 
cloud  expert,  John  Kinsella,  contributes  a 
piece  looking  at  five  of  cloud’s  biggest  chal¬ 
lenges  (see  “5  (More)  Key  Cloud  Issues,”  Page 
28).  We’re  several  years  into  the  emergence  of 
cloud  computing,  and  certainly  not  flying  blind 
on  its  attendant  security  and  risk  issues.  But 
even  for  those  issues  that  appear  to  have  been 
addressed,  whether  by  vendors  or  alliances  or 
someone  else,  your  attention  to  detail  is  still 
very  much  required. 

-Derek Slater,  dslater@cxo.com 
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Introducing  the  next  generation  of  access 
control.  The  platform  that  simplifies  everything. 


Learn  about  SIO. 

hidglobal.com/sio 
or  scan  this  with 
a  QR  reader 


iCLASS®  SE™  protects  the  integrity  of  your  identities,  regardless  of  the  card  platform.  It’s  also 
amazingly  flexible  —  use  multiple  form  factors  with  an  access  control  solution  to  create  your 
ideal  product  today,  then  change  it  down  the  road  as  your  business  needs  evolve  by  simply 
reprogramming  it. 

Powerful,  adaptable  and  designed  to  be  energy  efficient,  iCLASS  SE  is  truly  the  next 
generation  in  access  control.  For  more  information,  visit  hidglobal.com/secure-CSO 


[  FROM  THE  PUBLISHER  ] 


The  Many  Seasons 
of  Our  Discontent 


I  had  high  hopes  that  we  might  actually  see  a 
federal  cybersecurity  bill  this  year.  Foolish 
me!  (Of  course,  by  the  time  this  is  published 
I  may  have  been  proven  wrong-but  I  doubt 
it).  Lieberman-Collins  bill  looked  like  it  might 
go  somewhere...but  it  didn’t.  CISPA  even 
passed  the  House  before  it  ran  into  the  stone 
wall  of  another  house  (white).  Now  there  are 
grumblings  in  the  Senate  that  may  doom  any 
other  cybersecurity  legislation  that  comes  up 
this  year.  What  a  shame. 

Then  again,  should  we  really  be  surprised 
that,  in  an  election  year,  we  can’t  get  some¬ 
thing  like  this  to  move  forward?  I  mean,  how 
many  years  have  we  watched  the  Congress 
do  nothing  of  substance  to  address  what  you, 
as  loyal  readers  of  CSO,  and  I  already  know: 
Cybersecurity  is  one  of  the  greatest  strategic 
threats  to  our  nation,  its  businesses  and  its 
citizens  in  the  last  50  years.  (Department  of 
Homeland  Security  Secretary  Janet  Napolitano 
recently  expressed  a  similar  sentiment.  For 
more,  see  our  story  on  Page  14.) 

So,  I  offer  this  open  letter  to  our  represen¬ 
tatives  in  Washington.  It’s  short  but  sweet: 
Dear  Leaders  (sounds  a  little  North 
Korean,  but  stick  with  me  here): 

We  appreciate  that  you  have  been  very 
busy  this  year,  what  with  renaming  all  those 
courthouses  and  post  offices  around  the 
country,  but  we  would  appreciate  it  even 
more  if  you  could  do  something  to  stop  all 
these  pesky  cyberattacks  that  are  costing 
us  billions  to  fight,  fix  and  avoid.  While 
you’re  at  it,  we  could  really  use  some  help 
protecting  our  nation’s  critical  infrastruc¬ 
ture  against  cyberattacks  and  cybercrimes. 
Please  don’t  just  tell  us  what  to  do.  Give  us 


the  resources  to  do  it  before  everything  we 
invent  here  ends  up  manufactured  by  some 
Chinese  startup  two  days  later  (how  did  they 
come  up  with  a  product  exactly  like  ours  so 
quickly?). 

Thanks  for  your  help.  See  you  in 
November! 

Sincerely, 

Your  frustrated  CSO 


I’ve  always  said  that  the  best  way  to 
get  someone’s  attention  when  it  comes  to 
cyber-related  risks  is  for  something  really 
bad  to  happen.  For  retail,  that  bad  thing  was 
the  TJX  breach;  for  gaming,  it  was  the  Play¬ 
Station  breach. 

Let’s  hope  someone  in  Congress  takes  the 
hint  before  we  have  to  rely  on  the  "something 
bad  happened”  incentive. 

-Bob  Bragdon,  bbragdon@cxo.com 
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Do  you  know  your  physical  security 

access  infrastructure  may  be  open 
to  insider  and  outsider  threats? 


Take  Control  of  your  Physical  Security 
Infrastructure  with  SAFE  Solutions 

Our  SAFE  Software  Suite  is  a  Physical  Identity  and  Access 
Management  System  that  enables  a  global  approach  to  automate 
and  streamline  your  Physical  Security  Infrastructure.  With  SAFE 
Solutions  from  Quantum  Secure,  automate  and  streamline 
physical  access  management,  gain  visibility  and  take  control  of 
on/off  boarding  processes  across  global  facilities,  and  closely 
manage  restricted  areas  to  ensure  compliance  and  reduce 
corporate  risks. 

SAFE  delivers  attestation  reports  for  compliance  to  regulations 
such  as  SOX,  NERC,  PCI,  HIPAA  and  more.  SAFE  also  performs 
insider  risk  assessment  with  facility  access  analytics,  and  will 
operate  with  disparate  physical  access  (PACS)  and  HR  systems. 
The  SAFE  Software  Suite  is  designed  to  create  unprecedented 
efficiencies  and  lower  all  physical  access  related  risks. 


SAFE  is  ideal  for: 

>  Government 

>  Airports  and  Ports 

>  Telecom 

>  Energy  and  Utilities 

>  Healthcare,  Pharmaceuticals 

>  High  Technology 

>  Financial 

>  Higher  Education 

>  Transportation 


QUANTUM  SECURE 
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©  2012  Quantum  Secure,  Incorporated.  All  rights  reserved. 
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>  quantumsecure.com 


What’s  on  your  mind?  Security  leaders  discuss 
and  debate  at  www.csoonlme.com 


BLOG  POST 

Compliance 
Does  Not  Equal 
Security 

Over  the  past  few  weeks, 
we’ve  read  about  multiple 
situations  where  an  entity 
that  had  previously  declared 
itself  compliant  demon¬ 
strated— either  through  self-inflicted  deed 
or  the  nefarious  efforts  of  another— that 
they  were  not  secure.  This  begs  the  ques¬ 
tion:  Does  compliance  equal  security?  I 
posit  they  are  two  different  measurements, 
which  are  not  interchangeable.  You  may  be 
secure,  yet  not  compliant.  You  may  be  com¬ 
pliant,  yet  not  secure. 

According  to  the  Ponemon  Institute’s 
“2011  Annual  Study:  U.S.  Cost  of  a  Data 
Breach,”  sponsored  by  Symantec,  “39  per¬ 
cent  of  all  breaches  are  caused  by  individual 
negligence  of  an  employee  or  contractor.” 
In  mid-February  2012,  Union  Bank  “dis¬ 
covered  that  a  former  contractor  had  kept 
proprietary  bank  data  in  his  possession 
upon  departure  from  the  bank  on  January 
31.”  This  is  a  clear  example  of  a  lapse  in  a 
company’s  security  regime,  which  permit¬ 
ted  a  departing  contractor,  who  had  no 
continued  need  to  know,  to  retain  sensitive 
data.  The  bank  discovered  and  investigated. 
It  sent  out  breach  notification  letters  to  the 
affected  individuals  and,  as  required,  to  the 
various  states’  Attorneys  General.  In  this 
instance,  Union  Bank  included  free  indi¬ 
vidual  credit  monitoring  and  identity  theft 
risk  management  solutions. 

An  example  of  a  scenario  where  a  com¬ 


pany  is  compliant  but  not  secure  occurred 
this  March  and  April,  when  Global  Pay¬ 
ments  announced  it  had  been  breached 
and  approximately  1.5  million  accounts 
had  been  compromised.  The  breach  was 
believed  to  have  occurred  in  early  2012,  but 
Global  Payments  acknowledged  it  only 
after  Brian  Krebs  of  Krebs  on  Security 
spilled  the  beans.  Then  it  admitted  to  hav¬ 
ing  “self-reported  unauthorized  access  into 
a  portion  of  its  processing  system”— fancy 
speak  for  a  breach.  Global  Payments  Chair¬ 
man  and  CEO  Paul  R.  Garcia  announced 
that  his  security  was  up  to  snuff,  observing, 
“It  is  reassuring  that  our  security  processes 
detected  an  intrusion.  It  is  crucial  to  under¬ 
stand  that  this  incident  does  not  involve  our 
merchants  or  their  relationships  with  their 
customer.” 

To  better  understand  what  had  trans¬ 
pired,  I  contacted  Global  Payments  and 


asked  some  basic  questions.  In  response, 
the  company  forwarded  to  me  a  link  to  its 
crisis  FAQ  page.  My  questions: 

1.  How  many  accounts  were  compro¬ 
mised  by  the  unauthorized  access  to  your 
system?  Answer:  About  1.5  million  (This 
information  per  the  company’s  FAQ.) 

2.  How  many  banking  institutions 
(banks,  savings  and  loans,  credit  unions, 
etc.)  were  affected?  No  answer. 

3.  In  which  states  did  breach-notifica¬ 
tion  laws  apply  to  the  unauthorized  access 
to  your  system?  No  answer. 

4.  Was  this  event  limited  to  U.S.  card¬ 
holders  or  was  this  international?  Answer: 
Predominately  U.S.  (Per  FAQ.) 

5A.  Was  your  system  judged  to  be  com¬ 
pliant  with  PCI  standards?  No  answer. 

5B.  What  was  the  date  of  the  most  recent 
compliance  certification?  No  Aanswer. 

SC.  Who  or  what  entity  conducted  the 
compliance  certification  inspection?  No 
answer. 

6.  Are  you  offering  credit  report  moni¬ 
toring  to  all  those  whose  credit  cards  have 
been  compromised?  Answer:  Contact  your 
bank.  (Per  FAQ.) 

The  CEO’s  declaration  of  confidence 
notwithstanding,  one  is  left  with  the  feel¬ 
ing  that  the  internal  team  was  relying  on 
its  status  as  compliant  to  mean  it  was  also 
secure,  and  once  the  breach  was  discovered, 
the  disaster-recovery  plan  took  over.  The 
disaster-recovery  plan  seems  to  have  led 
to  obfuscation,  either  on  purpose  or  due  to 
their  lack  of  knowledge  of  their  ecosystem. 

My  Recommendations: 

Compliance:  No  doubt  the  need  for 
compliance-based  reviews  will  not  leave 
us— whether  the  standards  we’re  meeting 
are  SOX,  HIPAA,  HiTech  Act,  SSAE16, 
PCI-DSS,  or  any  other— as  they  allow  both 
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partners  and  customers  to  have  a  baseline 
knowledge  of  your  ability  to  protect  their 
data,  their  customers’  data  and  your  own 
data.  Don’t  avoid  getting  these  necessary 
compliance  certificates,  whether  they’re 
required  by  the  government,  by  an  industry 
organization  or  by  a  contract.  Engage  and 
invest— it’s  your  data,  your  customer’s  data 
and  your  company’s  livelihood,  which  are 
all  worthy  of  investment.  Be  proud  of  what 
you’ve  achieved  and  don’t  be  afraid  to  let  the 
public  know  that  you’ve  taken  the  step  to 
be  compliant  with  the  necessary  standards. 

Security:  Similarly,  security  is  more 
than  just  putting  an  appliance  or  “security 
magic  box”  on  your  network  and  declar¬ 
ing  it  complete  and  secure,  or  locked  down. 
Security  encompasses  the  daily  assurance 
that  the  aforementioned  static  compliance 
reviews  and  certifications  remain  valid, 
day  in  and  day  out.  In  addition,  processes 
and  policies  must  be  treated  as  dynamic 
documents,  and  they  must  be  accompa¬ 
nied  by  continual  education  and  training 
of  personnel.  Technology  is  advancing 
far  faster  than  compliance  documents, 
so  those  responsible  for  protecting  data 
must  continually  learn  about  new  threats, 
update  and  patch  any  equipment  when¬ 
ever  the  vendor  rolls  out  the  updates,  and 
constantly  engage  with  their  constitu¬ 
ency— be  they  employees  or  customers— 
on  how  to  maintain  a  secure  environment. 
As  I  have  said  previously,  policy  creation 
and  implementation  requires  engagement, 
and  those  who  have  to  follow  the  rules 
must  be  a  party  to  the  creation  of  the  rules. 
Whether  or  not  an  entity  has  a  security 
breach  will  depend  largely  upon  its  degree 
of  security  preparation  and  implementa¬ 


tion  of  preferred  security  practices. 

In  closing,  please  remember:  Compli¬ 
ance  does  not  equal  security. 

—Christopher  Burgess 

BLOG  POST 

Social  Media 
Policies 
Under  Fire 

The  acting  general  counsel  of 
the  National  Labor  Relations 
Board  (NLRB)  has  issued  sev¬ 
eral  reports  in  just  the  past 
year  highlighting  the  impor¬ 
tance  of  drafting  social  media  policies  that 
avoid  trampling  on  worker  rights.  As  com¬ 
panies  rush  to  implement  policies  directed 
at  curbing  employee  use  of  social  media,  the 
NLRB’s  guidance  should  be  heeded. 

The  most  recent  NLRB  memos  can 
be  found  at  www.nlrb.gov/puhlications/ 
operations-management-memos.  Of  particu¬ 
lar  interest  is  the  inclusion  of  the  full  text 
of  an  internationally  recognized  retailer’s 
social  media  policy,  which  is  used  as  an 
example  of  the  right  way  to  draft  a  policy. 
With  the  guidance  provided  by  the  NLRB 
and  now  the  provision  of  a  full  example 
policy,  businesses  can  be  far  more  confi¬ 
dent  in  drafting  appropriate  policies.  This 
information  clears  up  many  previously 
unanswered  questions.  Companies  that 
disregard  this  valuable  direction  from  the 
NLRB  do  so  at  their  peril. 

—Michael  Overly 


HOWTO 

REACH 

US 

You  can  contact  us 
directly  or  post  your 
thoughts  on  specific 
articles  and  blogs  at 
www.CSOonline.com. 

Derek  Slater,  Editor  in  Chief 
dslater@cxo.com 
508  935-4213 
Twitter:  @derekcslater 

Bill  Brenner,  Managing  Editor 
bbrenner@cxo.com 
508  988-7587 
Twitter:  @billbrenner70 

Joan  Goodchild,  Senior  Editor 
jgoodchild@cxo.com 
508  988-7994 
Twitter:  @msjoanieg 

Subscriber  Services 

Phone:866  354-1125 
Fax:  847  564-9453 
Email:  cso@omeda.com 

Reprints  &  Permissions 

For  information  about  reprints 
and  copyright  permissions, 
please  contact  The  YGS 
Group,  800  290-5460,  ext. 

129,  cso@theygsgroup.com. 


MORE  ON  THE  WEB 

Wake  Up  With  Salted  Hash 

Your  daily  security  news  cuppa  joe: 
CSOonline’s  Salted  Hash 
blog  and  newsletter  covers 
the  news  as  it  happens. 

http://blogs.csoonline.com/blog/cso 


8  www.csoonline.com  July/August  2012 


CAN  YOU  SEE 


TO  QPEBATE 
TURN  A 
A  HANOt E  I 

f  %z  % 


ONCE? 


You  can't  stop  threats  if  you  can't  spot  them.  That's 
why  HP  Enterprise  Security  offers  proven  solutions 
that  deliver  context-aware  visibility  into  security 
risk.  There's  no  better  way  to  proactively  detect 
security  issues  and  drive  situational  awareness 
across  your  applications,  operations,  and 
infrastructure.  The  HP  Security  Intelligence  and 
Risk  Management  platform  provides  integrated 
correlation,  application  protection  and 
network  defenses  that  can  secure  modern 
IT  environments  from  sophisticated  threats. 


For  more  information  go  to 
www.hpenterprisesecurity.com 
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TRENDS,  STATS  AND  FAST  FACTS 
Edited  by  Bill  Brenner 


Flame  Malware:  The  Fury  and  the  FUD 

Security  vendors  have  been  salivating  over  this  complex  new  program, 
which  has  led  to  a  lot  of  important  research-and  a  lot  of  hyperbole 


When  we  first  started  hearing 

about  a  newly  discovered  piece 
of  malware  called  Flame  in  late 
May,  the  noise  level  was  set  way 
past  11.  This  was  the  relative  of  Stuxnet 
and  Duqu  that  everyone  had  been 
nervously  waiting  for-the  nasty  piece  of 
code  that  could  finally  be  used  to  launch 
a  digital  Pearl  Harbor. 

Now  that  we’ve  had  a  few  weeks 
to  absorb  all  the  details,  let’s  see  if  we 
can  find  the  important  stuff  within  the 
vendor  FUD. 

The  first  important  fact  is  that  this 
is  indeed  a  dangerous  piece  of  malware. 
Jennifer  Minella,  a  CISO,  infrastructure 
security  specialist,  speaker  and  author, 
told  us  not  to  make  light  of  Flame. 

“Flame  is  very  different  from  Stuxnet 
and  Duqu,  much,  much  larger,  more 
sophisticated  and  modular.  This  time,  it’s 
not  hype,”  she  says. 

This  made  us  stop  and  take  notice, 
because  Minella  is  widely  regarded  in  the 
industry  as  a  straight  shooter  who  doesn’t 
exaggerate. 

Flame  has  also  shined  a  light  on  the 
damage  bad  guys  can  do  using  USB  drives. 

USB  drives  have  long  been 
a  security  threat,  of  course, 
but  Flame  elevated  portable 
storage  devices  to  a  new  level 
of  weaponry.  Flame,  originally 
discovered  in  Iran’s  oil-ministry 
computers,  used  the  USB  ports 
found  on  every  PC  as  a  pathway  to  avoid  detec¬ 
tion  by  network-guarding  security  systems. 


The  cleverness  of  Flame’s  creators  in  keeping 
the  malware  under  the  radar  is  one  more 
example  of  why  experts  find  this  specimen  so 
special. 

But  as  interesting  and  potentially 
threatening  as  this  is,  it’s  not 
the  imminent  apocalypse  some 
vendors  have  made  it  sound 
like.  The  PR  pitch  below,  which 
was  sent  to  reporters  by  email 
a  couple  days  after  the  Flame 
story  broke,  is  a  good  example 
of  the  problem:  It  reads  like  an  Avenger 
comic  book  or  the  next  Bond  film.  Bigger 


than  Stuxnet!  Highly  sophisticated! 
Predominantly  used  in  data  theft 
and  cyberespionage!  Of  course,  the 
widespread  proliferation  of  malware 
infected  systems  and  the  toolkits 
hackers  need  to  complete  their  latest 
espionage  is  indeed  dangerous. 

The  press  release  reads,  in  part: 
“[The  vendor]  is  a  recognized  leader 
in  providing  solutions  to  defend  against 
Advanced  Persistent  Threats  (APTs).  In 
order  to  address  Flame,  Deep  Content 
Inspection  (DCI)  is  a  new  approach  to 
data  inspection  that  incorporates  thor¬ 
ough  analysis  that  must  be  employed 
into  the  network.  I  wanted  to  connect 
you  with  as  a  resource  to  discuss  the 
cause  and  effects  of  this  malware.” 

The  contrast  between  Minella’s  com¬ 
ment  and  that  press  release  illustrates 
another  important  point:  Whenever  we 
talk  to  the  security  practitioners  in  the 
trenches-no  matter  the  issue-they 
always  have  a  far  more  muted  reaction  to  the 
supposedly  big  news  of  the  day.  It’s  not  that 
they  don’t  find  newly  discovered  malware,  vul¬ 
nerabilities  and  attack  techniques  important. 
Of  course  they  do. 

It’s  just  that  in  the  day-to-day  process  of 
mounting  a  defense,  these  things  don’t  look 
anywhere  near  as  exciting  as  we  in  the  media 
sometimes  make  them  out  to  be. 

Granted,  their  lives  do  get  exciting-in  a 
not-so-good  way-when  these  things  result  in 
a  data  breach.  But  the  media  hype  isn’t  neces¬ 
sarily  going  to  help  them  prevent  the  breach. 

-Bill  Brenner 


Illustration  by  CS0  Staff 
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SALTED  HASH 


The  Booth  Babe 
Debate  Is  Back,  in 
Time  for  Summer  Cons! 

LAST  YEAR  I  caught  a  bit  of  grief  from  readers  after  I  wrote 
a  couple  posts  suggesting  that  vendors  who  use  booth  babes 
should  try  attracting  people  through  the  strength  of  their 
products  instead.  Those  posts  were  in  reaction  to  the  display 
McAfee  set  up  during  Black  Hat  USA  2011.  Now,  as  we  prepare 
to  descend  on  Las  Vegas  for  the  next  Black  Hat,  the  debate  over 
using  booth  babes  has  been  rekindled. 

Let’s  begin  with  the  post  that  restarted  the  discussion— it’s 
titled  “Ragequitting  SummerCon,”  and  it’s  a  great  read  on  the 
Idiosyncratic  Routine  blog  written  by  New  York-based  infosec 
practitioner  Amber  Baldet,  in  which  she  wrote  of  the  “bur¬ 
lesque  thing”  that  flavored  the  recent  SummerCon  event  in 
Brooklyn. 

That  was  followed  by  a  good  post  from  IT  security  practitio¬ 
ner  Neal  Priestly,  who  wrote,  among  other  things:  “If  you  stoop 
to  the  worst  sort  of  booth  babe  at  the  front  of  your  booth,  I’ll 
think  you  have  nothing  real  to  offer  behind  them  either.  That’s 
the  business  message  I  receive  when  your  initial  attempt  to  com¬ 
municate  involves  marketing  to  my  little  head.” 

Now  security  assessor  Michelle  Klinger  has  weighed  in  with 
an  excellent  read  about  booth  babes  and  the  return  on  invest¬ 
ment  they  may  or  may  not  provide.  A  snippet: 


I  challenge  vendors  who  use  booth  babes  to  share  their 
booth  babe  ROI!  I’m  not  interested  in  lead  generation, 
because  it  doesn’t  take  much  effort  to  scan  someone’s 
badge  or  get  a  business  card.  I  want  to  know,  for  the 
amount  of  money  spent  on  booth  babe  talent,  how  much 
sales  revenue  is  actually  generated.  Prove  to  us  naysay¬ 
ers,  once  and  for  all,  that  booth  babes  are  a  financially 
sound  investment. ..a  revenue  generating  investment. 

I  don’t  want  to  hear  about  the  failure  of  sales  when 
leads  don’t  translate  into  revenue.  If  that’s  the  case  I’d 
argue  you’d  be  better  advised  to  invest  in  a  better  sales 
team  than  booth  babes.  I’d  even  go  so  far  and  challenge 
vendors  to  provide  an  explanation  on  how  using  booth 
babes  are  more  advantageous  than  staffing  booths  with 
knowledgeable  engineers. 

It’s  clear  from  the  rest  of  her  post  that  Klinger  is  skeptical 
of  the  ROI.  We  all  should  be.  I’ll  repeat  what  I  said  last  year: 
I’ve  been  to  many  security  conferences  where  vendors  felt  the 
need  to  hire  women  to  stand  around  their  booth 
with  their  stuff  hanging  out.  It  may  be  entertain¬ 
ing,  but  it  can  speak  poorly  of  the  vendor.  This 
is  a  tricky  thing,  because  the  booth  babe  tactic 
works.  That’s  why  vendors  do  it.  People  linger 
around  the  booth  longer,  pretending  that  they’re 
looking  at  the  fliers  and  the  demos.  I  could  tell 
you  I’ve  never  done  such  a  thing,  but  I  would  be 
telling  a  lie. 

It’s  not  easy  to  turn  away  from  a  spectacle. 

I  do  think  it’s  unfortunate,  though.  Women  in  security  fight 
for  the  respect  they  deserve  every  day,  and  this  stuff  probably 


I 


isn’t  very  helpful  to  them. 

There’s  also  some  unfairness,  because  you  never  see  the 
male  booth  babes.  There’s  an  argument  to  be  made  that  a  good 
spectacle  should  have  some  balance,  so  both  sexes  get  some¬ 
thing  out  of  it.  Or  you  could  argue  that  it  would  be  better  to 
just  try  attracting  people  to  your  booth  on  the  strength  of  your 
products  and  reputation. 

Some  smart  people  disagree. 

When  I  wrote  about  the  McAfee  Black  Hat  display,  I  took  my 
hits:  “If  this  is  ‘in  poor  taste,’  then  why  even  come  to  Vegas  at 
all?  The  women  at  my  hotel  are  dressed  the  same  way...I  person¬ 
ally  think  this  whole  topic  is  basically  a  distraction... I  mean, 
do  you  go  to  cons  for  vendor  booths?  Those  women  make  good 
money  and  chose  to  dress  that  way.  They  aren’t  sad,”  tweeted 
@awilsong. 

That’s  not  an  unreasonable  point.  And  to  me,  this  isn’t  about 
the  women  who  take  the  job.  They  are  free  to  make  a  living  as 
they  see  fit,  and  if  they  are  proud  of  their  bodies  and  want  to 
show  them  off,  more  power  to  them. 

This  is  about  the  vendors  and  whether  they 
have  what  it  takes  to  attract  people  to  a  booth 
on  the  strength  of  their  products  or  if  they  need 
to  rely  instead  on  flashy  gimmicks. 

As  I  walked  the  exhibit  floor  at  RSA  a  few 
months  ago,  I  noticed  that  the  booth  babe  thing 
had  been  toned  down  considerably.  Instead, 
a  lot  of  vendors  decided  to  display  race  cars. 
Some  might  call  this  progress,  but  in  the  end,  it’s  just  another 
gimmick— flash  over  substance. 

And  to  me,  that’s  what  this  whole  debate  is  about. 

-B.B. 


CSOonline’s  Salted  Hash 
blog  and  newsletter 
covers  the  news  as  it 
happens:  blogs.csoonline 
com/blog/c  so 
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At  any  moment,  your  organization  could 
come  face-to-face  with  an  active  shooter. 


Will  you  be  ready? 


Every  day,  new  threats  arise  from  unexpected  sources— cyber  attacks  on  critical  data 
and  systems,  a  disgruntled  employee  who  turns  violent,  even  extreme  weather  that 
threatens  lives  and  commerce.  If  you  are  responsible  for  protecting  your  organization’s 
human,  logical,  or  physical  assets,  you  can’t  afford  to  miss  ASIS  2012.  It  is  here  that 
you’ll  discover  what’s  changed,  what  works,  and  most  importantly,  what’s  next. 

The  conversation  will  focus  on  real-world  results:  how  to  face  down  challenges, 
maintain  strategic  growth,  and  profit  in  any  economy,  in  any  threat  environment. 
Plan  now  to  join  more  than  20,000  top  professionals  at  the  world’s  most  influential 
gathering  focused  on  driving  security’s  future.  Visit  www.asis2012.org  today. 


ASIS  2012  FEATURES: 

•  700+  top  manufacturers  and  service  providers 

•  Hundreds  of  new  product  introductions,  thousands  of  solutions 

•  Comprehensive,  high-caliber  education  program  (200+  sessions) 

•  Unparalleled  networking  opportunities 

•  Colocated  event:  (ISC)2  Security  Congress 
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REGISTER  NOW 

for  your  FREE  exhibits  pass! 


ASIS  INTERNATIONAL 
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CYBERWAR 

DHS:  Only  Threat  Bigger  Than  Cybercrime  Is  Al-Qaida 

Security  experts  back  up  this  claim,  made  by  Janet  Napolitano  in  a  recent  speech 


It  is  unlikely  that  Americans  will  ever  again 
see  terrorists  crashing  commercial  jets  into 
skyscrapers.  But  Department  of  Homeland 
Security  (DHS)  Secretary  Janet  Napolitano 
believes  that  malicious  computer  code  gener¬ 
ated  by  groups  like  al-Qaida  is  nearly  as  big 
a  threat  to  the  security  and  stability  of  the 
nation  as  physical  terrorism. 

Does  that  mean  that  we  are  at  war  with 
cyberterrorists?  Napolitano  doesn’t  go  that 
far-she  uses  the  term  “cybercrime,”  as  do  a 
number  of  cybersecurity  experts. 

Still,  the  damage  caused  by  cybercrime 
worldwide  is  headed  toward  half  a  trillion 
dollars  a  year.  Napolitano,  in  a  May  30  speech 
to  business  leaders  and  government  officials, 
said  that,  other  than  al-Qaida  and  related 
groups,  cybercrime  is  “the  greatest  threat  and 
actual  activity  that  we  have  seen  aimed  at  the 
west  and  at  the  United  States.  Unfortunately,  it 
is  a  growth  arena.” 

“Our  cybersecurity  as  a  country  is  inextri¬ 
cably  linked  to  our  economic  capability,”  she 
said.  “The  systems  we  use  are  interdependent, 
interconnected  and  critical  to  daily  life  in  the 
United  States.  Communication,  travel,  power¬ 
ing  our  homes,  running  our  banking  systems- 
these  are  all  interconnected  systems.” 

Napolitano  cited  a  study  by  Symantec’s 
Norton  that  estimated  the  worldwide  cost 
of  cybercrime  at  $388  billion-more  than 
the  global  market  for  heroin,  cocaine  and 
marijuana  combined,  and  said,  “I  think  those 
are  conservative  numbers,  based  on  the  things 
that  come  into  DHS.” 

But  the  United  States  is  not  just  on  the 
defensive.  Napolitano’s  speech  came  two  days 
before  the  New  York  Times,  citing  anony¬ 
mous  sources  in  the  Obama  administration, 
reported  that  the  president  had  secretly 
ordered  the  use  of  the  Stuxnet  worm  to  attack 
the  computers  that  run  Iran’s  main  nuclear- 
enrichment  facilities. 

The  Times  reported  that  this  was  in  col¬ 
laboration  with  Israel,  and  was  the  continua¬ 
tion  of  a  program  code-named  Olympic  Games, 
started  under  President  George  W.  Bush.  The 
attack  is  estimated  to  have  set  back  the  Iranian 
nuclear  program  by  as  much  as  two  years. 
Attacking  another  nation’s  military  capa- 


“Our  cybersecurity 
as  a  country  is 
inextricably  linked 

to  our  economic 

capability.” 

-JANET  NAPOLITANO,  SECRETARY 
OF  THE  DEPARTMENT  OF 
HOMELAND  SECURITY 

biiity  may  sound  like  an  act  of  war  to  some. 

Joel  Harding,  a  former  military  intelligence 
officer  and  now  a  communication  and  public 
diplomacy  information  operations  expert  and 
consultant,  wrote  in  a  blog  post  shortly  after 
the  Times’  story,  “It’s  official.  The  United  States 
of  America  was  the  first  to  use  an  atomic  bomb 
against  an  enemy  and  now  the  United  States 
is  the  first  to  have  acknowledged  using  a  cyber 
weapon  against  another  country.  We  are  now 
certified  bad  guys  to  the  rest  of  the  world. 

“To  whoever  leaked  the  information  from 
the  Obama  administration,  for  whatever  pur¬ 
pose,  you  have  now  doomed  the  United  States 
to  a  terrible  legacy  forever,”  he  wrote. 

But  Hardingtold  CSO  he  does  notthinkthis 
means  the  United  States  has  started  a  cyber- 
war.  “There  will  never  be  a  pure  cyberwar  in 
my  opinion,”  he  says.  “There  will  be  opera¬ 
tions  in  cyberspace,  but  they  will  always  be 
in  support  of  other  actions.  By  itself,  warfare 


in  cyberspace  cannot  conquer  an  enemy.  The 
effects  will  normally  be  temporary  and  prob¬ 
ably  not  physical.”  Still,  he  says  the  admission 
taints  the  United  States  in  the  eyes  of  the  rest 
of  the  world.  “It  is  a  challenge  to  maintain 
a  high  moral  position  if  we  are  the  first  to 
acknowledge  the  use  of  such  a  weapon.” 

Other  security  experts  agree  that  “war"  is 
the  wrong  term.  Bruce  Schneier,  an  author  and 
the  chief  security  technology  officer  at  BT,  says 
that  “throughout  history,  the  definition  of  a 
‘major  war’  has  involved  casualties  in  the  hun¬ 
dreds  of  thousands.  That  means  dead  people.” 

Marc  Zwillinger,  a  lawyer  and  a  specialist  in 
cyber  conflict,  calls  these  exchanges  “cyber¬ 
attacks,”  and  says  he  doubts  the  United  States 
was  the  first  nation  to  use  them.  “Our  govern¬ 
ment,  government  contractors,  and  ISPs  have 
been  pummeled  for  years,”  he  says. 

Whatever  the  semantics,  there  is  unani¬ 
mous  agreement  that  the  attacks  are  doing 
enormous  damage. 

“Cybercrime  is  a  really  big  deal,”  Schneier 
says.  “Much  bigger  than  al-Qaida,  which  has 
basically  been  a  fairy  scare  story  since  9/11.” 

Zwillinger  says,  “It’s  something  to  take 
very  seriously.  It’s  not  that  hard  to  undermine 
our  economy  and  cause  lasting  effects.  How 
long  was  the  Facebook  trading  glitch  that  is 
being  blamed  for  a  lot  of  uncertainty  and  panic 
in  the  trading  of  one  stock?” 

“United  States  corporations  lose  billions  of 
dollars  in  research  to  cybercrime  and  espio¬ 
nage  every  year,”  Harding  says.  “Now  imagine 
these  efforts  [aimed  at]  national  security  prod¬ 
ucts.  Not  only  do  we  lose  intellectual  property 
and,  de  facto,  our  investment  dollars,  but  we 
may  have  a  national  security  problem.” 

Another  problem  with  cyberweapons  and 
the  revelations  about  Stuxnet  is  that  they  can 
boomerang,  unlike  bullets  or  bombs.  Richard 
Lardner  reports  for  the  Associated  Press 
that  “a  cyberweapon  that  spreads  across  the 
Internet  may  circle  back  accidentally  to  infect 
computers  it  was  never  supposed  to  target. 

It’s  one  of  the  unusual  challenges  facing  the 
programmers  who  build  such  weapons,  and 
presidents  who  must  decide  when  to  launch 
them.” 

-Taylor  Armerding 
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Managing  Current  &  Future  Risks  Globally 

Gain  a  Security,  Privacy,  Risk  Si  Leadership  perspective 
on  latest  trends,  challenges,  and  game  changing  solutions 

for  an  increasingly  mobile  workforce. 


INVEST  IN 
YOURSELF! 


35  ~  Earn  up  to  19  CPE  Credits 

-  Build  a  Network  of  the  Most  Dynamic  Women  in  Our  Industry 

-  Take  Home  Tools,  Best  Practices  &  Solutions  to  Achieve  Success 


Panels  Include: 

•  The  Impact  of  Social  Media...  Social  media  technologies  are  driving 

a  digital  revolution.  Learn  how  to  leverage  the  tools  themselves  and  explore  the  risks 
they  pose — identity  theft,  data  leakage,  privacy  considerations,  brand  management, 
appropriate  use.  Discuss  the  potential  controls,  boundaries  and  policies. 

•  Establishing  a  Healthy  Data  Relationship...  Big  Data,  the  ubiquity 
of  the  Cloud  and  mobile  devices,  combined  with  the  blurring  of  our  work  and  personal 
lives,  means  that  data  is  coming  together  in  a  myriad  of  ways.  Discuss  data  comingling, 
the  business  problems  and  risks  associated  with  it. 

•  Anatomy  of  an  Attack:  A  Survival  Workshop...  Be  a  part  of  the 
experience  as  we  walk  through  some  examples  in  recent  history  of  major  security 
and  privacy  compromises  from  the  technical  aspects  to  regulatory  elements  to  the 
PR  management  of  the  events. 

•  BYOD  -  Balancing  Access  with  Security...  Learn  how  companies 
are  safely  extending  corporate  access  and  data  through  mobile  devices.  Explore 
the  complexities  of  managing  and  mitigating  the  risks  of  smart  phones,  tablets  and 
other  devices. 
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>>  BRIEFING 


Security 
Wisdom  Watch 

Summer  FUD  Edition! 


Thumbs  down:  Booth  babes.  Black 
Hat  and  other  summer  security 
conferences  have  been  somewhat 
tarnished  in  recent  years  by  vendors 
who  use  so-called  booth  babes  to 
attract  attention  to  their  exhibits.  Let’s 
hope  this  year’s  exhibits  are  stocked  with 
smart  engineers  who  can  answer  ques¬ 
tions  instead. 

Thumbs  both  ways:  Leon  Panetta. 

The  secretary  of  defense  deserves 
credit  for  trying  to  make 
Congress  more  aware  of 
cyberthreats.  But  he  should  be 
careful  about  using  that  “Digi¬ 
tal  Pearl  Harbor”  rhetoric.  That’ll 
just  scare  our  elected  officials.  And  when 
they’re  scared,  they  often  rush  through 
draconian  legislation. 

Thumbs  down:  Security  PR  flacks.  I 
know  PR  people  are  under  a  lot  of 
pressure  to  get  publicity  for  their 
security  clients.  But  sending  out 
emails  comparing  Stuxnet  to  the  atom 
bomb  over  Hiroshima  is  an  irresponsible 
and  foolish  way  to  go  about  it. 

Thumbs  up:  Mark  McLaughlin.  Sadly, 
we  recently  learned  about  the 
passing  of  McLaughlin,  principal 
security  engineer  at  RSA,  at  the 
young  age  of  41.  He  had  gained  a  lot  of 
respect  in  the  industry  for  his  work  and 
his  gentle  nature.  Our  condolences  and 
best  wishes  to  his  friends,  family  and 
colleagues. 

Thumbs  up:  Dwight  D.  Eisenhower. 
We  recently  stumbled  on  this  quote 
from  this  five-star  general  and  34th 
president  of  the  United  States:  “If 
you  want  total  security,  go  to  prison. 
There  you’re  fed,  clothed,  given  medical 
care  and  so  on.  The  only  thing  lacking.Js 
freedom.”  it's  a  good  quote  to  remember 
aswedeba  what  should  be  allowed  in 
the  name  of  cybersecurity. 

-B.B. 


Companies  Overlook  Threats 
While  Focusing  on  Growth 

Lack  of  serious  consequences  for  breaches  may 
lead  to  cavalier  attitude  toward  data  protection 


In  the  world  of  cybersecurity,  it  long  ago  stopped  being  acceptable  to  just  do  the 
equivalent  of  a  putting  a  deadbolt  on  the  factory  door  and  keeping  the  lights  on. 

But  too  many  companies  are  still  stuck  in  the  mentality  that  some  security 
is  enough,  and  have  a  culture  that  values  growth  over  security,  says  Shellye 
Archambeau,  CEO  of  MetricStream,  a  provider  of  governance,  risk,  compliance  and 
management  services. 

In  the  wake  of  the  recent  data  breaches  of  the  popular  professional  networking 
site  Linkedln,  the  dating  site  eHarmony  and  the  music  site  Last.fm,  Archambeau 
says  those  companies  are  simply  not  keeping  up  with  evolving  threats. 

Linkedln,  a  mature,  profitable  company  with  an  estimated  160  million  members, 
is  only  one  of  the  more  recent  examples  of  what  experts  say  is  a  stunning  lack  of 
basic  security  among  some  companies. 

Since  the  exposure  of  about  6.5  million  passwords,  it  has  been  widely  reported 
that  the  company  wasn’t  following  even  Security  101-level  protocols. 

As  CSO  reported  last  month,  Linkedln  was  protecting  passwords  with  only  the 
most  basic  encryption. 

The  process,  known  as  hashing,  scrambles  a  password  with  a  mathematical 
algorithm  and  stores  only  the  encoded,  or  hashed,  version. 

But  that  is  not  nearly  enough  to  stop  today’s  hackers,  who  use  automated  tools 
that  can  test  up  to  a  million  passwords  a  second.  The  current  standard  for  security 
of  stored  passwords  is  to  add  a  series  of  random  digits  to  the  end  of  each  hashed 
password,  which  is  known  as  salting.  It’s  relatively  simple  and  can  be  done  at  no  cost. 

Not  only  was  Linkedln  failing  to  do  that,  it  also  does  not  employ  a  CIO  or  CISO  to 
oversee  security  measures. 

Archambeau  and  others  say  one  reason  for  the  continuing  spike  in  successful 
data  breaches  is  that  “while  companies  get  a  bit  of  a  black  eye,  there  are  no  major 
consequences  for  it.” 

Archambeau  believes  enterprise  leaders  do  care  about  securing  their  data, 
especially  when  that  information  is  the  crown  jewels  of  the  operation,  as  is  the  case 
with  Linkedln. 

But  she  says  she  thinks  part  of  the  problem  is  a  cultural  attitude  that  she  calls 
the  “startup  mentality.” 

“Companies  only  exist  when  they  are  taking  risks,”  Archambeau  says.  “The  envi¬ 
ronment  and  culture  around  that-that's  all  good.  But  at  same  time,  as  companies 
mature,  they  need  to  understand  not  only  how  to  take  risks,  but  how  to  manage  it. 
They’re  not  doing  enough  on  that.”  -T.A. 
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HACKTIVISM 


LulzSec  Reborn  Aims  to  Keep  Hacking  Movement  Alive 

As  long  as  there  are  poorly  protected  targets,  these  groups  will  keep  popping  up,  experts  agree 


About  three  months  ago,  following 
the  arrests  of  five  members  of  an 
Anonymous  spinoff  hacker  group,  an 
FBI  official  declared:  “We're  chopping 
off  the  head  of  LulzSec.’’ 

And  perhaps  they  did.  But  activist  hack¬ 
ers,  some  still  claiming  the  LulzSec  name, 
seem  eager  to  prove  that  they  are  no  more 
destructible  than  the  Hydra-the  mythical 
serpent  with  many  heads,  which  grew  two 
new  heads  wherever  one  was  cut  off. 

One  recent  report  said  that  the  group 
calling  itself  LulzSec  Reborn  “posted  about 
10,000  Twitter  usernames  and  passwords 
on  Pastebin.  The  leaked  Twitter  accounts  are 
from  people  who  use  TweetGif,  a  third-party 
app  that  lets  users  share  animated  GIFs.” 
This  is  not  the  first  hack  for  which  the  group 
has  claimed  responsibility.  In  late  March, 
only  three  weeks  after  the  LulzSec  arrests, 
the  Reborn  group  broke  into  the  database 


of  the  military  dating  site  ESingles,  stealing 
passwords,  email  addresses  and  other  infor¬ 
mation  from  nearly  171,000  accounts  and 
posting  them  on  Pastebin. 

Nick  Selby,  managing  director  of 
N4Struct  and  a  Texas  police  officer  who 


investigates  cybercrime,  says  this  should  be 
no  surprise.  “It’s  certainly  evidence  that  the 
threat  is  highly  distributed,  and  the  barrier 
to  entry  for  those  wishing  to  engage  in  these 
kinds  of  activities  is  low  and  plummeting 
each  day,”  he  says.  Chester  Wisniewski,  a 
senior  security  adviser  at  Sophos,  agrees. 

“As  long  as  there  are  a  lot  of  assets  out  there 
that  are  reasonably  insecure,  this  will  keep 
happening,”  he  says.  “The  Occupy  movement 
may  no  longer  be  visible,  but  the  99  percent 
are  still  upset.  The  FBI  may  give  some 
individuals  who  are  risk-averse  pause,  but  if 
some  people  are  stopped,  there  will  always 
be  another  to  step  into  the  role.” 

The  FBI  broke  the  top  ranks  of  LulzSec 
about  nine  months  after  arresting  its  leader, 
Hector  Xavier  Monsegur,  28,  who  went  by 
the  handle  Sabu.  At  the  time,  most  security 
experts  agreed  that  LulzSec  had  been  dam¬ 
aged,  but  hardly  eliminated.  -T.A. 


MEDIA  MATTERS 

Cybersecurity  Expert  Argues  FUDCan  Be  Effective 


Fear,  uncertainty  and  doubt— especially 
doubt-may  lead  to  more  critical 
thinking  about  Flame  and  Stuxnet 

Sharon  Nelson  thinks  a  certain  amount  of  fear,  uncertainty  and 
doubt  (FUD)  is  a  good  thing. 

Nelson,  an  attorney  and  president  of  the 
information-security,  digital  forensics  and  IT  consulting  firm 
Sensei  Enterprises,  knows  she  is  taking  something  of  a  contrarian 
stance.  Most  experts  in  the  information  security  world  view  FUD  as 
just  part  of  a  sales  pitch:  Scare  the  IT  manager  enough  and  they’ll 
buy  your  security  product. 

Experts  also  tend  to  dismiss  the  word  “war”  as  exaggeration 
in  their  analysis  of  recent  revelations  that  the  United  States  was 
behind  not  only  the  Stuxnet  worm  used  to  attack  the  Iranian  nuclear 
program,  but  also  the  Flame  espionage  malware. 

Most  security  experts  agree  that  cyberattacks  are  a  major, 
costly  problem,  both  for  the  business  world  and  the  government. 

But  they  say  it  is  going  overboard  to  call  this  exchange  of  malware 
a  war.  As  Bruce  Schneier,  an  author  and  the  chief  security  technol¬ 
ogy  officer  at  BT,  tells  CSO,  “Throughout  history,  the  definition  of 


a  ‘major  war’  has  involved  casualties  in  the  hundreds  of  thousands. 
That  means  dead  people.” 

But  Nelson  doesn’t  shy  away  from  the  term  “cyberwarfare,”  or 
from  FUD.  On  Sensei’s  Ride  the  Lightning  blog,  she  argued,  “The 
line  between  cyberwarfare  and  the  real  thing  is  a  fine  one-one  our 
enemies  may  not  appreciate.” 

Nelson  tells  CSO:  “You  can  accomplish  some  of  the  same  kinds  of 
things  in  a  cyberattack  that  you  can  in  a  conventional  war-you  can 
take  out  water  plants,  transportation  systems,  communications.” 

So,  where  does  the  value  of  FUD  fit  in  all  that?  If  people  are 
scared  and  uncertain,  what  will  that  accomplish,  other  than,  pos¬ 
sibly,  a  fear-driven  overreaction?  Nelson  says  she  does  not  advocate 
sowing  panic.  But  she  believes  FUD— especially  the  doubt  part-“may 
make  people  question  things.” 

In  her  blog  post,  she  argued:  “I  doubt  that  we  know  a  fraction  of 
what  is  really  going  on  and  I  doubt  if  the  politicians  or  military  will 
tell  us  the  truth.  They  never  have  before-why  now?” 

She  added:  “You  have  to  second  guess.  None  of  us  believes  that 
what  we  hear  on  TV  is  reality  any  more  than  [a]  reality  show  [is  real¬ 
ity].  If  [people  are  concerned],  then  more  questions  will  be  asked, 
more  investigations  will  be  done.”  -T.A. 
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By  Mary  Brandel 


At  Rest,  Not  At  Risk 

Data  at  rest  is  data  at  risk,  as  the  old  saying  goes. 

These  database  security  tools  and  strategies  can  help  you  fight  back. 


Database  security  is  starting 
to  show  up  on  the  radar  of 
C-level  execs,  and  no  wonder. 
According  to  Verizon’s  “2012 
Data  Breach  Investigations 
Report,”  174  million  corporate  records  were 
compromised  in  2011  (the  highest  since 
2004,  according  to  the  company),  and  in  a 
survey  by  the  Independent  Oracle  Users 
Group,  31  percent  of  respondents  antici¬ 
pated  a  major  data  breach  this  year. 

At  the  same  time,  most  companies  are 
still  fairly  low  on  the  database  security 
maturity  curve,  and  so  are  just  beginning 
to  shift  their  attention  from  protecting  the 
corporate  borders  to  guarding  the  corpo¬ 
rate  jewels. 

Businesses  are  faced  with  a  height¬ 
ened  threat  landscape,  more  sophisticated 
database  attacks  and  an  increased  regula¬ 
tory  compliance  burden,  and  Forrester 
Research  predicts  they  will  begin  to  spend 
more  on  database  security,  which  now 
accounts  for  just  5  percent  to  10  percent  of 
their  overall  information  security  budgets. 
Meanwhile,  database  vendors  are  working 
to  bolster  their  security  capabilities,  while 
third-party  database  security  tool  vendors 
continue  to  add  to  their  offerings. 

Market  Activity 

Forrester  forecasts  growth  of  the  data¬ 
base  security  market  at  approximately  20 
percent  annually  through  2014,  with  lead- 
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ing  database  vendors— for  example,  IBM, 
Microsoft,  Oracle  and  Sybase— further 
extending  database  security,  and  indepen¬ 
dent  vendors— such  as  Application  Security, 
Fortinet,  Imperva,  McAfee  and  Vormetric— 
filling  in  the  gaps.  The  database  security 
market  is  in  a  state  of  consolidation,  with 
IBM  acquiring  Guardium,  Oracle  buying 
Secerno,  Fortinet  incorporating  IPLocks, 


and  McAfee  snapping  up  Sentrigo. 

While  the  larger  vendors  will  continue 
to  dominate  the  database  security  market, 
according  to  Forrester,  standalone  vendors 
will  start  to  use  broader  information  secu¬ 
rity  frameworks,  and  begin  offering  secu- 
rity-information-and-event-management 
(SIEM),  intrusion-detection-and-preven- 
tion  and  data-loss-prevention  systems. 

Illustration  by  John  Weber 


Third-Party  Tools  vs. 

Database  Vendors 

Most  enterprises  use  the  security  features 
that  come  native  with  the  database  man¬ 
agement  system  (DBMS),  according  to 
Forrester,  but  they  turn  to  third  parties  for 
advanced  requirements,  such  as  real-time 
protection,  granular  compliance  reporting 
and  support  for  heterogeneous  deploy¬ 
ments,  the  analyst  firm  says. 

“DBMS  security  features  are  siloed  per 
database  vendor  and  don’t  provide  a  holis¬ 
tic  view,”  says  Mike  Hortobagyi,  senior 
solutions  architect  at  Bell  Canada.  “It’s  bet¬ 
ter  to  go  with  a  centralized  tool  that  can  pro¬ 
vide  a  full  picture  of  the  threat  landscape 
from  one  console  and  integrate  with  other 
enterprise  systems  for  management,  risk 
reporting  and  analytics.” 

Richard  Isenberg,  Fiserv’s  VP  of  secu¬ 
rity  engineering,  turned  to  Imperva  for 
tools  to  handle  segregation  of  duties,  vul¬ 
nerability  scanning  and  blocking  suspi¬ 
cious  activity.  “The  databases  themselves 
don’t  have  enough  security  baked  in  to  meet 
our  compliance  initiatives  around  tracking 
and  understanding  everything  that  privi¬ 
leged  users  do  and  alert  us  when  they’re 
doing  something  we  don’t  want,”  he  says. 

“It’s  the  fox-watching-the-henhouse 
mentality,”  says  Jon  Oltsik,  senior  principal 
analyst  at  ESG.  “The  security  community 
says  it  wants  a  third  party  finding  problems 
with  the  database  versus  the  database  ven¬ 
dors  themselves.” 

Trends  and  Best  Practices 

Team  up:  One  reason  many  companies  are 
low  on  the  database  security  maturity  curve 
is  that  there’s  a  disconnect  between  the 
database  and  security  teams.  “Databases 
are  complicated,  and  database  teams  are 
often  their  own  fiefdom,  very  separate  from 
the  security  team,”  says  Josh  Shaul,  CTO 
at  Application  Security.  “For  the  majority 
of  companies  that  have  a  database  security 
program,  it’s  very  isolated  and  tends  to  not 
be  making  a  lot  of  progress.” 

For  instance,  maybe  the  security  team 
runs  vulnerability  scans,  but  database 
admins  don’t  act  on  the  results,  or  the  data¬ 
base  team  may  start  securing  the  environ¬ 
ment  without  knowing  how  to  do  it  well. 
“Getting  the  two  teams  together  to  accept 
database  security  as  a  shared  problem  is 
one  of  the  most  important  keys,  far  more 


than  any  technology  out  there,”  Shaul  says. 

Integrate  with  other  systems:  While 
many  organizations  begin  their  database 
security  efforts  with  vulnerability  scan¬ 
ning,  they  struggle  to  know  what  to  do  with 
the  output  of  those  reports,  Hortobagyi 
says.  “Scanning  is  the  easy  part,”  he  says. 
“You  need  an  effective  way  to  track,  manage 
and  remediate  vulnerabilities  over  time. 
How  do  you  manage  vulnerabilities  that 
you  can’t  patch  right  away,  or  that  will  be 
upgraded  ‘soon’?”  The  answer  is  to  hook 
the  findings  into  other  enterprise  pro¬ 
cesses  and  systems,  such  as  trouble-ticket 
processes,  a  case-management  system  or  a 
SIEM  system,  he  says. 

Don’t  boil  the  ocean:  When  beginning 
their  database  security  programs,  compa¬ 
nies  often  make  the  mistake  of  trying  to 
go  from  zero  straight  to  60  mph,  Shaul 
says,  resulting  in  frustration.  Instead,  they 
should  prioritize  a  high-impact  subset  of 
issues  or  highly  valuable  databases  and  add 
on  from  there. 

A  phased  improvement  plan  begins 
with  database  auditing  and  vulnerability 
scanning,  Hortobagyi  says,  then  moves  up 
to  access  rights  management,  and  then  to 
activity  monitoring,  real-time  protection 
and  threat  correlation. 

Key  Security  Functions 

VULNERABILITY  ASSESSMENT 
AND  SCANNING 
Representative  vendors:  Application 
Security,  Fortinet,  Guardium  (owned  by 
IBM),  Imperva,  Microsoft,  Oracle,  Sentrigo 
(owned  by  McAfee),  Sybase 

Vulnerability  scanners— the  most 
mature  category  of  database  security  tools, 
according  to  Oltsik— report  on  risks  such 

“DBMS  security 
features  are  siloed 
per  database 
vendor  and  don’t 
provide  a  holistic 
view.” 

-MIKE  HORTOBAGYI,  SENIOR 
SOLUTIONS  ARCHITECT, 

BELL  CANADA 


as  stale  accounts,  default  passwords,  out¬ 
dated  patches,  incorrect  configurations, 
unwarranted  user  privileges,  and  so  on. 
According  to  Forrester,  48  percent  of  enter¬ 
prises  surveyed  in  2011  had  deployed  data¬ 
base  vulnerability  assessment  tools,  up  66 
percent  from  2008. 

Companies  are  increasingly  interested 
in  tracking  and  managing  the  activities  of 
privileged  users— finding  out,  for  example, 
what  data  they  can  see,  manipulate  and  copy. 

A  common  complaint  with  scanners  is 
that  they  return  an  unmanageable  num¬ 
ber  of  results.  Shaul  suggests  starting  with 
the  easiest  parameters  to  manage,  such 
as  blank  passwords,  and  then  moving  to 
another  issue,  such  as  default  passwords. 
“Every  time  you  run  through  the  scanning 
process,  you  should  bite  off  manageable 
chunks  so  you  get  12  results,  not  10,000.” 

Hortobagyi  would  like  vulnerability 
scanners  to  give  results  with  business  con¬ 
text,  such  as  which  databases  are  critical 
or  high-risk.  “I  need  to  collate  these  data¬ 
bases  to  lines  of  business,  applications  and 
business  owners  so  I  can  take  appropriate 
actions  and  know  which  people  to  notify.” 

Another  challenge  is  managing  output 
from  scanner  reports,  especially  when 
vulnerabilities,  such  as  patching,  cannot 
be  addressed  right  away,  he  says.  Most  sys¬ 
tems  allow  you  to  add  comments  and  sup¬ 
press  notification  of  known  vulnerabilities 
so  you’re  not  seeing  repetitive  alerts.  But 
Hortobagyi  would  like  to  record  prog¬ 
ress  on  vulnerabilities  over  time.  “It’s  not 
enough  to  get  a  point-in-time  view;  we  need 
an  actual  process  for  vulnerability  manage¬ 
ment  and  a  way  to  oversee  it,”  he  says. 

One  promising  development  is  the 
compensatory  controls  that  some  vendors 
offer,  which  protect  the  database  while 
vulnerabilities  are  being  fixed.  Application 
Security’s  virtual  patching,  for  instance, 
monitors  unpatched  databases  for  known 
exploits,  Hortobagyi  says. 

At  Fiserv,  Isenberg  uses  Imperva ’s  data¬ 
base  scanner  for  identity  and  rights  man¬ 
agement,  patch  management  and  database 
server  configuration.  “It  takes  routine 
audits  to  let  us  know  where  our  configura¬ 
tions  are  out  of  compliance  with  industry 
standards  and  best  practices,”  he  says.  He 
also  conducts  scans  to  keep  up-to-date  with 
the  location  of  sensitive  data,  which  can 
change  over  time.  “We  need  to  make  sure 
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our  policies  are  protecting  the  right  data  at 
a  level  that  we  need,”  he  says. 

DATABASE  AUDITING 
AND  MONITORING 
Representative  vendors:  Application 
Security,  Fortinet,  Guardium  (owned  by 
IBM),  Imperva,  Microsoft,  Oracle,  Sentrigo 
(owned  by  McAfee),  Sybase 

Auditing  tools— the  second-most- 
commonly-used  tool,  Oltsik  says— detect 
malicious  activity  by  monitoring  database 
transactions  and  changes.  Many  compa¬ 
nies  use  these  tools  to  record  and  produce 
audit  logs  for  compliance  purposes. 

Using  these  tools  is  a  step  up  the  matu¬ 
rity  curve  from  passive  scanning,  Hor- 
tobagyi  says.  Companies  need  to  plan  on 
adding  people  and  infrastructure  (such  as 
SIEM  integration)  to  support  the  firehose 
of  information  that  results  from  monitoring 
and  capturing  every  single  statement  that 
gets  executed  in  all  your  databases,  he  says. 
Another  strategy  is  to  limit  use  to  high-risk 
databases  or  specific  threat  patterns. 

Stacey  Gregerson,  senior  database  secu¬ 
rity  analyst  at  Diebold,  agrees  that  it  takes 
a  while  to  fine-tune  auditing  tools.  “When  I 
first  started,  I  turned  on  all  the  alerts  right 
off  the  bat,”  he  says.  “I  overdid  it  and  taxed 
myself,  personally.”  He  has  since  learned 
how  to  digest  the  same  amount  of  informa¬ 
tion  in  a  manageable  way. 

Gregerson,  who  uses  IBM’s  Guardium 
system  for  database  monitoring  and  real¬ 
time  protection,  works  with  multiple  data¬ 
base  systems  and  version  levels.  He  advises 
that  when  you  first  get  the  system,  point  it 
at  the  system  you  want  to  audit  and  moni¬ 
tor  everything  that  comes  through  the  box. 
“While  doing  that,  start  to  fine-tune  the  sys¬ 
tem  as  to  what  to  trigger  alerts  on,”  he  says. 

Once  you  learn  what  you  want  to  pro¬ 
tect,  you  will  begin  getting  fewer  alerts. 
For  instance,  databases  use  a  lot  of  linked 
tables,  but  you’re  mainly  concerned  about 
small  subsets  of  data  in  the  database.  “You 
go  from  triggering  alerts  on  thousands  of 
tables  to  just  five  or  six,”  he  says.  “We  still 

Once  you  learn  what 
you  want  to  protect, 
you  will  begin  getting 

fewer  alerts. 


get  a  report  on  other  activities,  but  instan¬ 
taneous  alerts  are  just  on  the  critical  data.” 
It’s  a  matter  of  learning  more  about  your 
data  and  understanding  what  is  sensitive 
and  what  is  not.  “That  alone  gives  us  a  com¬ 
petitive  advantage,”  he  says. 

Gregerson  chose  Guardium  because 
he  didn’t  want  to  affect  the  performance 
of  Diebold’s  systems.  Some  third-party 
tools  are  designed  as  database  add-ons,  he 
says,  which  he  considers  an  unnecessary 
layer.  Guardium,  on  the  other  hand,  sits  on 
the  server  itself  and  monitors  at  the  data¬ 
base  kernel  level.  “The  impact  has  been 
extremely  minimal,”  he  says. 

REAL-TIME  PROTECTION 
AND  DATABASE  FIREWALLS 
Representative  vendors:  Application 
Security,  Fortinet,  Guardium  (owned 
by  IBM),  Imperva,  Oracle,  Sentrigo  (owned 
by  McAfee) 

Companies  are  just  beginning  to  move 
into  real-time  database  protection,  accord¬ 
ing  to  Oltsik.  These  tools  seek  out  and 
automatically  block  or  quarantine  known 
attacks  (such  as  SQL  injections)  and  suspi¬ 
cious  behavior  (such  as  a  user  accessing  a 
large  volume  of  records  during  off  hours). 

“The  technology  is  not  super-mature, 
but  the  bigger  issue  is  the  market  is  not 
ready  for  the  leap  of  faith  to  block  what 
we  think  is  an  attack  that  may  not  actually 
be  and  cause  bad  things  to  happen  to  the 
application,”  Shaul  says.  Rather  than  auto¬ 
matically  blocking,  companies  might  be 
more  comfortable  with  an  alert,  followed 
by  a  manual  investigation.  Of  course,  this 
could  take  minutes  or  hours,  compared  to 
an  automated  approach  that  would  shut 
down  the  activity  before  data  is  exposed. 

At  Fiserv,  Isenberg  installed  the 
Imperva  database  firewall  and  let  it  run 
for  three  months  to  establish  a  baseline 
of  normal  activity.  This  enabled  the  tool 
to  detect  anything  other  than  whitelisted 
activity  and  block  it.  It  also  allows  Fiserv  to 
restrict  privileged  users’  access  and  activ¬ 
ity,  regardless  of  the  rights  they’ve  been 
granted.  For  instance,  it  stops  call  center 
agents  from  querying  database  records 
containing  consumer  financial  information 
more  than  10  times  per  hour,  which  is  the 
average,  as  discovered  by  the  baseline  scan. 

Isenberg  understands  the  general  dis¬ 
comfort  with  false  positives  but  believes 


real-time  protection  will  become  more 
popular  over  time.  Intrusion-protection 
devices  took  a  similar  path— many  compa¬ 
nies  used  them  in  detect-and-alert  mode  at 
first  but  now  use  them  to  block  suspicious 
network  traffic. 

DATABASE  ENCRYPTION 
Representative  vendors:  Guardium 
(owned  by  IBM),  Microsoft,  Oracle,  Sybase, 
Voltage  Security,  Vormetric,  Protegrity 

Database  encryption  has  been  around 
a  long  time  and,  as  such,  is  very  mature, 
according  to  Adrian  Lane,  security  ana¬ 
lyst  at  Securosis,  a  security  research  and 
advisory  firm.  The  database  vendors  offer 
encryption  within  the  database  itself,  while 
some  third-party  tools  intercept  files  to 
encrypt  or  decrypt  them  then. 

According  to  Lane,  use  of  encryption 
tools  for  databases  is  rising  only  slowly, 
with  compliance  as  the  main  driver  for 
adoption,  particularly  for  the  payment 
card  industry  (which  requires  data-at- 
rest  encryption).  That  was  the  case  at 
ARC,  which  builds  financial  tools  for  the 
travel  industry.  ARC  needed  to  encrypt  its 
Teradata  data  warehouse  and  Oracle  trans¬ 
action  databases.  Jim  Holsten,  director  of 
technical  services,  wanted  one  tool  for  both 
environments  and  chose  Protegrity,  which 
offered  an  Oracle  encryption  engine  and 
was  willing  to  build  one  for  Teradata. 

Since  implementing  the  system,  Hol¬ 
sten  has  worked  with  Protegrity  to  write 
rules  enabling  more  granular  access  to 
data.  ARC  is  beginning  to  encrypt  not  just 
credit  card  numbers,  but  also  other  non- 
mandated  but  sensitive  items,  including 
passport  and  driver’s  license  numbers. 

Meanwhile,  Tom  Funk,  compliance 
director  at  RedBrick  Health,  turned  to 
Vormetric  to  comply  with  HITECH  Act 
regulations  and  NIST  guidelines.  RedBrick 
decided  on  Vormetric,  which  encrypts  the 
company’s  MySQL  back-end  database 
(which  does  not  offer  encryption  capabili¬ 
ties),  going  beyond  the  128-bit  minimum 
encryption  standard,  using  256-bit  instead. 

Encrypting  data  at  rest  keeps  it  safe 
as  customers  access  the  database  over  the 
Web.  “If  anyone  got  a  copy  of  the  database,  it 
would  be  unreadable,”  Funk  says.  ■ 


Freelance  writer  Mary  Brandel  is  a  frequent 
contributor  to  CSO. 


20  www.csoonline.com  July/August  2012 


CSO  Forum  on  Linked  0 


Share  best  practices  and  insight 
and  discuss  your  challenges  with 
your  security  executive  peers. 

The  CSO  Forum  is  where  members  of  the  security 
community  can  connect  and  collaborate  to  move  their 
security  and  technology  initiatives  and  careers  forward. 

If  you  are  a  senior  security  or  IT  professional,  we’d  love 
to  have  you  join— apply  for  membership  today. 

Visit  linkedin.com  click  Groups  and  search  for  “CSO  Forum” 

Facilitated  by  CSOOnline.com  and  CSO  Magazine 

CSO 

BUSINESS  RISK  LEADERSHIP 


Unlwi  Lii  - 


frofkV*  C 


4M* 


COVER  STORY  I  LEADERSHIP 


The  2012  CSO  Compass  Award  honorees  point  the 
way  toward  risk  management  that's  more  indusive- 
and  more  exact  by  Constantine  von  hoffman 


Jack  Jones 

NUMBERS  GAME 

WHEN  SOMEONE  SAYS  Jack  Jones  wrote  the  book  on  how  to 
think  about  information  risk,  they  mean  it  literally.  He  created  the 
Factor  Analysis  of  Information  Risk  (FAIR),  which  gave  security 
professionals  a  method  of  defining  and  analyzing  risk  in  a  way 
that  was  more  consistent  and  understandable. 

Jones  started  out  in  technology  in  the  early  ’80s  before  migrat¬ 
ing  over  to  the  security  side  of  IT.  He’s  spent  four  years  working 
for  a  government  intelligence  agency  and  has  more  than  eight 
years  of  experience  as  a  CISO,  five  of  those  at  a  Fortune  100  finan¬ 
cial  services  company. 

FAIR  came  about  because  of  an  awkward  moment  Jones  had 
when  he  was  working  at  Nationwide  Insurance.  “I  was  having  a 
meeting  as  the  new  CISO  and  a  senior  executive  asked  me,  ‘How 
much  risk  do  we  have?”’  says  Jones,  who  is  now  CISO  and  senior 
vice  president  of  IT  risk  for  Huntington  Bank.  “The  best  answer 
I  had  was,  ‘Lots,’  and  I  knew  that  wouldn’t  satisfy  him  because  it 
didn’t  satisfy  me.” 

So  Jones  left  the  meeting  and  started  looking  for  a  way  to 
answer  that  question.  “I  thought  someone  must  have  figured  it 
out,”  he  says.  “But  none  of  the  risk  assessment  methods  I  looked 
at  held  water.”  Those  systems  didn’t  offer  a  solid  understanding 
of  what  risk  is  and  what  factors  drive  it.  Because  those  didn’t  exist, 


there  was  no  common,  accepted  vocabulary  for  measuring  and 
analyzing  risk.  This  led  to  a  marginalization  of  security  because 
executives  couldn’t  get  consistent,  comparable  information  about 
risk,  even  from  within  their  own  organizations. 

In  order  to  create  the  system  he  was  looking  for,  Jones  had  to 
re-examine  a  lot  of  very  well  accepted  ideas  about  security  and 
risk.  “I  decided  to  set  aside  what  I  had  learned  over  the  years,  and 
this  gave  me  the  freedom  to  challenge  a  lot  of  preconceived  ideas,” 
he  says.  “I  hate  to  prove  myself  wrong,  but  I  found  I  was  doing 
that  a  lot.” 

One  thing  he  found  was  that  a  lot  of  people  used  the  word 
“risk,”  but  what  they  meant  was  “vulnerability.”  A  function  would 
be  deemed  high-risk  because  it  was  very  vulnerable  if  an  attack 
should  happen.  Jones  wanted  a  system  that  would  also  take  into 
account  the  likelihood  of  a  given  event  and  what  its  impact  would 
be  if  it  happened.  If  you  have  to  break  through  three  layers  of 
protection  to  exploit  a  weakness  and  even  then  it  doesn’t  actu¬ 
ally  affect  much,  it  shouldn’t  be  considered  high-risk,  even  if  it’s 
relatively  easy  to  do. 

FAIR  was  also  designed  to  be  easily  understandable— “No 
highfalutin  math,”  he  says.  This  way,  the  results  of  the  analysis 
can  be  shared  with  people  who  aren’t  security  experts  and  com¬ 
pared  with  analysis  from  other  organizations,  if  need  be. 

“There’s  a  prevailing  belief  that  quantitative  risk  analysis 
must  be  horribly  complicated  and  time-consuming,”  he  says.  “It 
doesn’t  have  to  be.  The  feedback  I  get  is  that  FAIR  can  be  pretty 
intuitive  to  use.” 
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“There’s  a  prevailing  belief 
that  quantitative  risk 
analysis  must  be  horribly 
complicated  and  time- 
consuming.  It  doesn’t 
have  to  be.”  -Jack  Jones 
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Shelley  Stewart 

BUSINESS  VIEW 

WITH  HER  BROADER  view  of  risk  and  deep  knowledge  of 
business,  Shelley  Stewart  has  made  risk  and  security  manage¬ 
ment  a  value  creator.  The  executive  director  of  global  security  for 
Cummins,  an  international  manufacturer  of  diesel  engines  and 
power  generators,  didn’t  come  to  the  position  with  the  usual  back¬ 
ground  in  security. 

“A  lot  of  people  in  my  role  grew  up  in  law  enforcement,”  she 
says.  “I  didn’t.” 

She  started  as  director  of  benefits  strategy,  and  after  imple¬ 
menting  a  major  overhaul  of  the  company’s  healthcare  program, 
she  began  looking  for  a  new  challenge.  The  director  of  risk  insur¬ 
ance  had  just  left  the  company  and  Stewart,  along  with  her  boss, 
recognized  she  had  two  strengths  that  made  her  a  perfect  fit  for 
the  job:  a  deep  knowledge  of  insurance  and  an  excellent  under¬ 
standing  of  Cummins.  That  last  is  no  small  thing  in  a  company 
with  44,000  employees  and  customers  in  190  countries. 

Working  closely  with  the  risk  management  group  gave  her  a 
comprehensive  understanding  of  security  operations,  and  she 
was  asked  to  help  find  a  new  head  of  security  for  the  company. 
“The  senior  executives  weren’t  comfortable  with  the  outside  can¬ 
didates  who’d  been  brought  in,”  says  Stewart.  “As  the  search  went 
on,  my  boss  kept  saying,  ‘You  should  do  it.’” 

In  her  previous  positions,  Stewart  had  been  able  to  increase 
the  business  value  of  the  risk,  safety,  human  resources  and  envi¬ 
ronmental  functions.  Management  realized  that  this  ability  and 
her  knowledge  of  the  corporate  culture  were  more  important 
than  a  background  in  government,  law  enforcement,  security 
systems  or  investigation. 

As  head  of  global  security,  Stewart  is  in  charge  of  security 
operations,  information  asset  protection,  standardizing  secu¬ 
rity  processes,  and  intelligence  and  crisis  management.  Stewart 
says  she  figures  out  how  security  can  better  help  business  units 
instead  of  just  telling  them  what  the  problems  are. 

“My  job  isn’t  to  tell  them  what  not  to  do,  but  how  to  do  it  with 
the  least  risk,”  she  says.  “This  sometimes  means  security  doesn’t 
have  to  be  as  extensive  as  we  thought  because  it  turns  out  the  risk 
we’re  protecting  against  isn’t  that  great.” 

One  of  her  most  important  achievements  was  putting  together 
an  intelligence  program  that  quickly  delivers  information  around 
the  world.  This  program  helped  her,  her  team  and  their  partners 
execute  preventive  measures  in  response  to  the  Arab  Spring,  the 
2011  earthquake  and  nuclear  disaster  in  Japan,  and  other  crises. 

While  Stewart  knows  that  a  strong  knowledge  of  security  is 
essential  for  risk  management,  she  understands  that  other  skills 
are  important,  too.  She  believes  having  a  deep  understanding  of 
business  drivers  is  the  key  to  making  security  add  value  to  the 
organization. 

“We  could  see  that  the  company’s  most  critical  asset  is  engi¬ 
neering  information,  so  we  brought  in  an  engineer  to  help  us  with 
information  asset  protection,”  she  says.  “This  let  us  understand 
that  in  order  to  help  the  company,  we  had  to  come  up  with  ways 


to  protect  that  information  which  were  flexible  enough  to  let  us 
work  with  outside  partners.” 


Kristin  Lovejoy 

ENABLING  INNOVATION 

IMAGINE  FOR  A  moment  you  work  for  one  of  the  best-known 
companies  in  the  world,  one  that  made  computers  an  essential 
part  of  business.  Imagine  this  company,  with  more  than  half 
a  million  employees,  had  let  each  business  unit  create  its  own 
security  systems  as  long  as  it  followed  certain  guidelines.  Now 
imagine  it’s  time  to  replace  that  with  an  enterprisewide  security 
architecture.  Most  people  would  reasonably  imagine  this  to  be  a 
scary,  overwhelming  project. 

Kristin  Lovejoy,  IBM’s  VP  of  IT  risk,  isn’t  most  people. 

“That  much  complexity  creates  more  risk,”  says  Lovejoy.  “We 
had  to  do  this  in  order  to  decrease  risk  throughout  the  organi¬ 
zation,  even  though  it  meant  replacing  solutions  that  may  have 
worked  perfectly  well  for  a  particular  unit.” 

Before  she  could  do  that,  she  had  to  transform  the  IT  risk 
function  at  IBM.  When  she  was  named  to  her  post  in  2010,  IT 
risk  was  focused  on  security,  business  continuity  and  disaster 
recovery.  Its  priorities  were  mostly  driven  by  compliance  or  cri¬ 
sis  mitigation.  “We  were  sort  of  the  department  of ‘no,’”  she  says. 
“We  were  always  telling  people  why  they  couldn’t  do  things.” 

Lovejoy,  with  the  support  of  then-CIO  Pat  Toole  and  his  suc¬ 
cessor  Jeanette  Horan,  knew  that  had  to  change.  The  department 
had  to  become  one  that  enabled  business  innovation,  not  blocked 
it.  “Instead  of  focusing  on  defense,  let’s  think  about  business 
transformation  and  processes,”  says  Lovejoy.  “Our  job  is  to  think 
through  the  worst  possible  scenarios  and  create  plans  to  over¬ 
come  them  so  projects  can  move  ahead.” 
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One  example  of  that  can  be  seen  in  how  IBM  has  responded 
to  the  challenge  of  employees  using  their  personal  devices  for 
work.  By  setting  the  IT  risk  department  up  to  find  solutions,  not 
veto  plans,  IBM  was  able  to  securely  move  ahead  with  many  new 
initiatives,  including  a  bring-your-own-device  (BYOD)  strategy. 
Lovejoy,  who  had  previously  been  vice  president  of  security 
strategy  at  IBM,  says  that  instead  of  waiting  until  BYOD  was 
planned  out,  she  and  her  team  got  involved  at  the  start.  In  fact,  her 
department  helped  create  the  business  case  for  letting  employees 
do  this.  By  the  end  of  the  first  year,  the  initiative  was  supporting 
100,000  devices.  This  allowed  employees  to  use  social  media  to 
further  IBM’s  business  agenda,  and  to  adopt  cloud  computing  on 
a  wide  scale. 

To  change  the  culture  of  IT  risk,  Lovejoy  restructured  it 
around  a  new  model  At  the  heart  of  that  model  is  the  IT  Risk 
Map,  which  is  reassessed  quarterly  and  considers: 

■  Security  and  privacy  ■  Geopolitical  issues 

■  IT  compliance  ■  Product  assurance 

■  Supply  chain  risk  ■  Business  transformation 

This  last  item  looks  at  what  emerging  technologies  or  technol¬ 
ogy-enabled  business  constructs  IBM  will  need  to  adopt  and  then 
plots  out  both  a  time  line  for  adoption  and  assesses  what  would 
happen  if  it  wasn’t  adopted. 

“We’re  making  the  180  degree  change— from  focusing  on  com¬ 
pliance  to  empowering  the  business  to  enable  innovation  with 
confidence,”  she  says. 


Dick  Parry 

CULTURE  CHANGE 

OVER  THE  PAST  30  years,  Novartis’s  Dick  Parry  has  seen 
and  done  almost  everything  in  the  security  field.  He  has  gone 
from  beat  cop  all  the  way  up  to  head  of  security  and  informa¬ 
tion  protection  for  a  world-renowned  medical  research  institute. 
Doing  so  has  meant  changing  in  ways  he  never  anticipated  when 
he  started  out. 

“I  used  to  believe  that  security  as  a  discipline  needed  to  be 
my  primary  focus.  But  I’m  now  more  of  a  business  person  with 
a  security  skill  set  than  just  a  security  professional,”  says  Parry. 
That  explains  his  title:  executive  director  and  head  of  global  secu¬ 
rity,  scientific  data  quality  and  archiving  and  records  manage¬ 
ment  for  Novartis  Institutes  for  Biomedical  Research. 

Along  the  way,  Parry  has  gained  a  comprehensive  view  of 
all  the  types  of  operational  risk.  He  has  experience  with  strat¬ 
egy  development  and  operational  implementation;  physical  and 
logical  security  convergence;  global  frameworks  and  governance; 
enterprise  risk  management;  disaster  planning  and  business  con¬ 
tinuity;  and  crisis  management  and  communication. 

Parry  started  out  with  the  Reading,  Mass.,  police  department, 
working  his  way  up  to  sergeant  before  becoming  security  man¬ 
ager  for  The  Analytic  Sciences  Corp. 

“I  was  night  shift  commander  when  I  entered  the  private 
sector,  and  I  had  been  a  big  fish  in  a  pretty  small  pond.  When  I 
became  a  small  fish  in  a  large  pond,  it  was  a  bit  of  a  culture  shock,” 
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says  Parry.  Adapting  meant  learning  new  skills  and  new  ways  of 
operating.  “I  learned  that  authority  based  on  position  wasn’t  the 
path  to  success.  It  just  doesn’t  get  you  as  much  in  the  private  sec¬ 
tor.  The  ability  to  influence  became  much  more  important  than 
the  ability  to  control.”  And  he’s  had  ample  opportunity  to  refine 
his  ability  to  influence  as  a  division  security  manager  for  Ray¬ 
theon,  head  of  safety  and  security  for  Iron  Mountain  and  now  at 
Novartis. 

Parry  has  learned,  too,  that  even  influence  doesn’t  have  to  be 
direct.  Today  he  knows  his  message  is  getting  across  “when  peo¬ 
ple  I  haven’t  spoken  directly  to  are  using  my  words,  my  examples, 
or  echoing  my  philosophies,”  he  says. 

The  two  biggest  changes  he’s  seen  during  his  career  have  been 
in  technology  and  in  the  way  that  risk  is  viewed  and  defined. 

Parry’s  view  is  that  technology  has  given  organizations  more 
information  about  risk  and  lets  them  understand  risk  in  new 
ways. 

“One  of  the  most  significant  changes  of  last  30  years— even 
just  the  last  15— is  how  technology  has  influenced  assessment  of 
risk  and  the  complexity  of  risk- management  operations,”  he  says. 
“Understanding  and  treatment  of  risk  has  had  to  become  broader 
based  across  organizations.  Savvy  risk  managers  now  help  their 
organizations  view  risk  holistically.  That  takes  a  whole  different 
set  of  skills  from  earlier  times,  when  it  was  possible  to  put  risk  in 
a  frame,  to  view  it  rather  simply.  When  I  first  started  in  private 
industry,  risk  management  used  to  just  handle  insurance  for  an 
organization,”  he  says.  “That  was  the  totality  of  risk  treatment.” 

While  having  more  knowledge  of  risk  has  clearly  been  a  plus 
for  businesses,  Parry  does  wonder  about  what  that  information 
has  allowed  business  to  do.  “I’m  not  sure  if  this  is  a  good  thing 


or  a  bad  thing,  but  there’s  been  an  overall  shift  in  risk  appetite.  I 
believe  that  many  companies  are  now  more  willing  to  take  risks 
because  they  have  a  better  understanding  of  what  it  involves.” 

Parry  remains  committed  to  learning  new  skills  as  business 
needs  change.  But  that  said,  he  sometimes  has  a  nostalgic  view 
about  security  and  risk.  “When  I  look  back,  it  seems  that  things 
were  simpler.  Risk  and  security  were  easier  to  manage,  but  maybe 
not  as  well  understood.  That’s  what  technology  has  done  for  us; 
given  us  more  understanding.  Look  at  law  enforcement:  It  has 
pretty  much  the  same  mission  as  it  did  30  years  ago,  but  today 
it’s  much  more  professional  and  technologically  oriented.  Better 
tools  helping  cops  do  a  better  job.  I  know  if  I  went  back  and  did 
the  type  of  policing  today  that  I  did  then,  it  wouldn’t  work.” 

Rick  Kelly 

VALUE  FOCUS 

IN  ITS  MORE  than  200  year-history,  Harsco  had  never  had 
a  CSO  or  even  much  interest  in  security.  That  changed  in  2008 
when  the  industrial  services  company  asked  Rick  Kelly  to  come  in 
as  CSO  and  create  a  security  and  risk  function.  This  was  no  small 
task:  Harsco  has  450  locations  in  55  countries  and  had  $3  billion 
in  revenues  last  year. 

Although  Kelly  had  never  worked  in  the  private  sector  before, 
he  was  very  familiar  with  large,  multinational  security  problems 
from  the  time  he  spent  in  charge  of  planning  and  strategy  devel¬ 
opment  for  the  FBI’s  counterterrorism  division. 

“They  had  nothing  as  far  as  security  was  concerned:  No  cen¬ 
tral  monitoring,  no  metrics,  nothing,”  says  Kelly,  who  is  now  CSO 
at  Ingersoll  Rand.  “There  were  so  many  things  that  needed  doing 
[that]  it  was  like  drinking  water  from  a  fire  hose.” 

Harsco  may  have  never  needed  a  security  operation  more 
than  it  did  when  it  hired  Kelly.  The  global  financial  crisis  hit  it 
hard.  The  company  lost  almost  $1  billion  in  revenue  and  had  to 
shed  about  5,000  employees.  This  forced  it  to  shift  the  focus  of  its 
operations  from  Europe  to  emerging  markets  such  as  China,  Bra¬ 
zil  and  India.  While  these  new  markets  have  huge  opportunity  for 
growth,  they  also  have  great  security  risks. 

Kelly’s  first  step  was  to  put  in  a  global  security  policy  that 
included  travel  security  procedures  so  the  company  could  know 
where  people  in  risky  areas  were  at  all  times.  “I  made  it  clear  that 
our  number  one  priority  was  protecting  our  people,”  he  says.  The 
company’s  global  traveler  locator  program  gathers  information 
from  its  partners  to  provide  real-time  intelligence  to  all  employ¬ 
ees  on  the  move  internationally. 

He  also  faced  another,  equally  important  challenge:  proving 
to  this  giant  organization  that  security  has  bottom-line  value.  “I 
had  to  constantly  prove  that  security  isn’t  just  guns,  guards,  locks 
and  gates,”  says  Kelly. 

He  did  this  by  improving  security  through  centralization  and 
automation  and  by  creating  metrics  that  made  it  clear  to  senior 
executives  how  security  was  helping  them.  For  example,  he 
centralized  the  physical  security  function,  which  improved  the 
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protection  of  global  assets  without  weighing  heavily  on  each  busi¬ 
ness  unit’s  budget.  Harsco’s  enterprise  risk  management  system 
will  soon  handle  all  alarm  monitoring,  CCTV  and  access  control 
functions  around  the  world  from  one  location. 

As  if  all  this  wasn’t  enough,  in  2010  Kelly  was  promoted  to 
chief  compliance  officer  and  asked  to  build  another  global  pro¬ 
gram,  this  time  focusing  on  regulatory  compliance  and  fighting 
corruption.  Since  then,  Harsco  has  implemented  a  global  hotline 
for  reporting  fraud,  created  the  Office  of  Global  Compliance,  and 
conducted  the  company’s  first-ever  cultural  survey  of  its  employ¬ 
ees’  attitudes  about  integrity  and  compliance.  This  has  enabled 
each  business  unit  to  come  up  with  plans  to  address  gaps  in  their 
compliance  programs. 

Kelly  expects  to  find  more  on  his  plate  soon,  and  he  can’t  wait. 
“I  eat  it  up  like  a  dog  on  a  meat  wagon,”  he  says. 


Eric 

Cowperthwaite 

CONNECT  THE  DOTS 


BUSINESSES  FREQUENTLY  DIVIDE  risk  and  security 
efforts  among  several  business  units  or  make  them  specific  to  a 
certain  place  or  type  of  activity:  Electronic  is  separate  from  physi¬ 


cal  is  separate  from  financial.  However,  keeping  them  all  apart 
makes  it  impossible  to  understand  how  one  risk  can  affect  and 
exacerbate  so  many  others.  That’s  the  problem  Eric  Cowperth¬ 
waite,  CISO  for  Providence  Health  and  Services,  is  most  con¬ 
cerned  with. 

Cowperthwaite  has  been  overseeing  Providence’s  drive  to  cre¬ 
ate  enterprisewide  risk  management.  He  wants  to  close  the  gaps 
that  allow  issues  to  be  overlooked— most  likely  because  no  one  is 
looking  at  the  entire  picture. 

“Our  goal  is  to  see  it  before  it  imperils  the  organization,”  he 
says.  Cowperthwaite  wants  to  prevent  anything  like  what  hap¬ 
pened  after  Lehman  Brothers  went  bankrupt  and  companies  had 
no  idea  how  much  risk  they  faced  as  a  result  of  that. 

“One  person  can’t  see  everything.  How  are  we  going  to  know 
what  large,  critical  risks  we  are  threatened  by  when  people 
weren’t  able  to  see  it  in  2008?” 

Working  with  Providence’s  chief  risk  officer,  as  well  as 
with  the  heads  of  the  audit,  compliance,  privacy,  insurance 
and  security  departments,  Cowperthwaite  developed  and 
implemented  an  enterprise  risk  management  services  group. 
This  new  organization  is  built  according  to  how  the  business 
actually  operates  and  not  some  inherited  idea  of  how  security 
should  be  divided. 

“This  is  a  vision  of  a  group  of  people  who  feel  really  strongly 
about  the  need  for  risk  management  at  the  enterprise  level,” 
he  says. 

That’s  not  to  say  he  doesn’t  understand  the  need  for  specific 
types  of  expertise.  “We  wanted  to  share  our  knowledge,”  he  says. 
“We  knew  it  wouldn’t  make  sense  to  have  tech  people  reporting 
to  people  who  just  analyze  risk,  just  as  it  wouldn’t  make  sense  to 
have  people  who  analyze  risk  reporting  to  tech  people.” 

Having  all  these  people  together  under  one  organizational 
roof  means  it  is  easier  to  see  if  a  denial-of-service  attack  is  actu¬ 
ally  part  of  another,  bigger  threat  by  understanding  its  potential 
financial  impact.  The  strategy  has  also  made  it  possible  to  cre¬ 
ate  a  model  for  defining  and  measuring  inherent,  managed  and 
residual  risk  at  Providence. 

Combining  the  security  and  risk  functions  raised  their  profile 
and  made  the  entire  organization  more  aware  of  what  risk  is.  This, 
in  turn,  has  led  to  a  better  understanding  of  what  really  causes 
risk  for  Providence,  a  nonprofit  that  runs  27  hospitals,  214  physi¬ 
cian  clinics,  senior  services  and  more  in  five  states. 

“We’ve  really  worked  on  the  human  side  of  risk  manage¬ 
ment,”  says  Cowperthwaite.  “Instead  of  just  asking  the  top  five 
executives  what  risks  they  saw,  we  asked  the  top  150,  ‘What  risk 
do  you  face?”’ 

Healthcare  reform  is  a  great  example  of  this.  Historically, 
Providence  had  viewed  it  as  a  risk— not  because  it’s  bad  or  good, 
but  because  it  causes  change. 

“By  talking  to  all  these  people,  we  found  out  it’s  not  the  health¬ 
care  reform  that’s  the  risk,  it’s  the  things  we  need  to  change 
because  of  it,”  he  says.  “Understanding  this  let  us  minimize  the 
risk  caused  by  those  changes.”  ■ 


Constantine  von  Hoffman  is  a  freelance  writer  based  in  Massachusetts. 
Send feedback  to  Editor  Derek  Slater  at  dslater@cxo.com. 
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Getting  the  maximum  possible  business 
benefit  out  of  cloud  computing  requires 
diligent  security.  How  are  you  handling 
these  five  challenges?  By  John  Kinselia 


AS  WE  RE  ADOPTING  cloud  com¬ 
puting,  we’re  more  aware  of  the  secu¬ 
rity  concerns  it  raises  than  we  were 
of  issues  created  by  other  large-scale 
technologies  we  adopted  in  the  past. 
This  is  a  wonderful  thing!  But  secu¬ 
rity  nirvana  has  yet  not  been  achieved. 
While  there’s  still  plenty  of  room  for 
cloud  providers  to  improve,  many 
aspects  of  cloud  security  must  be  the 
responsibility  of  the  consumer. 

In  particular,  I  see  five  security- 
related  issues  with  cloud  computing 
that  are  critical  to  the  success  and 
security  of  a  cloud-based  project— and 
that  are  not  always  getting  the  full  con¬ 
sideration  they  deserve. 

1  Internal  clouds  are  not 
inherently  secure. 

In  the  past  year,  many  organiza¬ 
tions  have  foregone  using  public 
clouds,  choosing  instead  to  build 
private  clouds  behind  their  firewalls. 
This  may  be  the  best  solution  for  risk- 
averse  groups. 

These  teams,  though,  need  to 
understand  that  just  because  they’ve 
built  a  cloud  inside  their  firewall 
doesn’t  mean  that  their  solution  is  safe. 
It  still  takes  just  one  bad  apple  to  spoil 
the  barrel— a  single  department,  user 
or  application  that  is  not  behaving  as 
it  should. 

An  organization  that  is  risk- averse 
enough  to  avoid  the  public  cloud 
should  be  building  a  secure  cloud— 
possibly  the  company  should  be  build¬ 
ing  its  dream  cloud,  which  contains  all 
the  security  controls  that  it  thinks  are 
missing  from  a  public  environment. 
Since  the  company  physically  owns 
the  private  cloud,  incident  response 
can  be  very  swift.  Detection  capa¬ 
bilities  need  to  be  cloud-specific  (for 
example,  sensors  need  to  monitor 


inside  the  cloud,  not  just  at  its  perim¬ 
eter)  and  operational  capabilities  such 
as  patch  management  must  be  sharp. 
A  vulnerable  service  that’s  in  a  cloud 
might  have  greater  exposure  and  risk 
than  the  same  service  in  a  standard 
server  farm  thanks  to  the  shared 
nature  of  cloud  resources. 

Several  vendors  are  now  able  to  sell 
spare  resources  from  a  private  cloud 
to  other  organizations.  Imagine:  A 
risk-averse  company  builds  an  inter¬ 
nal  cloud,  firewalled  from  the  public 
Internet.  They’ve  taken  basic  precau¬ 
tions,  but  haven’t  really  built  security 
into  their  playbook.  The  following  year, 
the  organization’s  budget  shrinks,  and 
management  hears  it  can  cover  costs 
by  renting  part  of  the  company’s  cloud 
when  it’s  not  in  use.  Maybe  they  under¬ 
stand  the  risk  involved,  but  decide  to 
mitigate  it  at  a  contractual  level. 

This  is  not  a  farfetched  scenario, 
and  if  I  were  looking  for  malicious 
entertainment,  buying  a  few  hours’ 
time  in  an  organization’s  internal  cloud 
could  provide  interesting  results. 

2  Companies  lack 
security  visibility 
and  risk  awareness. 

The  paucity  of  security  visibility 
that  most  providers  offer  their 
customers  is  itself  getting  plenty  of  vis¬ 
ibility.  Obviously,  when  using  a  public 
cloud  service,  companies  must  balance 
the  competing  factors  of  control,  visi¬ 
bility  and  cost.  This  can  be  a  significant 
issue— reduced  visibility  results  in 
diminished  situational  awareness  and 
a  questionable  understanding  of  risk. 

When  planning  a  move  to  the  cloud, 
an  organization  needs  to  recognize  this 
lack  of  visibility  and  determine  how  to 
best  leverage  what  insight  they  can 
get  their  hands  on.  Really,  this  means 


designing  mitigating  controls. 

At  the  infrastructure  and  platform 
levels,  this  is  straightforward:  Log 
more  information  in  your  applica¬ 
tions  and  set  systems  up  to  generate 
alerts  when  signs  of  compromise  or 
malicious  use  are  spotted  (for  exam¬ 
ple,  when  files  are  modified,  records 
are  changed  more  frequently  than 
usual,  or  resource  usage  is  abnormally 
high).  For  software  as  a  service  (SaaS), 
though,  these  precautions  will  require 
more  thought. 

SaaS  providers  are  beginning  to 
distinguish  themselves  via  security 
features.  Organizations  vetting  SaaS 
providers  should  consider  how  they 
will  handle  risk  awareness— does 
the  provider  offer  usage  data  that  is 
granular  enough  to  recognize  changes 
in  usage?  (Monthly  billing  doesn’t 
really  cut  it,  unless  the  risk  scenario  is 
a  malefactor  who  only  attacks  on  the 
29th  of  the  month.) 

If  a  malicious  user  attempts  to 
access  data  stored  in  the  cloud,  how 
will  the  company  learn  of  this?  If  sen¬ 
sitive  data  is  modified  or  destroyed, 
is  there  a  way  for  you  to  be  notified 
quickly?  Frequently,  providers  will 
offer  a  wider  variety  of  information 
via  an  API  than  they  do  in  their  dash¬ 
board.  While  this  does  require  that 
you  get  code  written  that  can  leverage 
the  API,  modem  APIs  are  usually  easy 
to  work  with,  and  the  information  you 
gain  as  a  result  will  be  valuable  to  risk- 
sensitive  organizations. 

It  would  be  great  to  have  a  stan¬ 
dardized  API  for  gathering  security 
information  from  a  provider,  but  as 
far  as  I  know,  no  one  is  developing  one 
right  now. 

3  Sensitive  information 
needs  safer  storage. 

Safely  storing  sensitive  infor¬ 
mation  is  one  of  the  toughest 
problems  in  cloud  computing. 
The  solution  is  to  encrypt  data,  but  the 
critical  questions  are  where  to  encrypt, 
and  how. 
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The  first  requirement  of  successful 
encryption  in  the  cloud,  which  some 
providers  do  not  yet  understand  (or 
at  least  don’t  practice),  is:  Do  not  store 
the  encryption  key  with  the  encrypted 
data.  Doing  so  more  or  less  negates  any 
value  gained  from  encrypting  the  data. 

However,  the  solution  is  fairly 
simple,  and  there’s  no  excuse  for  not 
implementing  it. 

In  current  shared  environments, 
nobody  is  yet  offering  a  virtual- 
machine  solution  that  guarantees 
the  integrity  of  the  guest  environ¬ 
ment.  This  means  that  a  malicious 
program  could  be  monitoring  the 
guest’s  encryption-decryption  logic, 
capturing  both  plain-text  data  and  the 
encryption  key. 

Nobody  is  yet 
offering  a  virtual- 
machine  solution 
that  guarantees 
the  integrity  of  the 
guest  environment. 

If  the  application  receives  plain¬ 
text  data  and  encrypts  it  in  the  cloud, 
there’s  no  easy  fix  for  this  right  now, 
other  than  running  on  bare  metal- 
installing  applications  directly  on  the 
hard  drive,  not  in  the  OS. 

Some  businesses,  though,  don’t 
encrypt  in  the  cloud,  but  encode  it 
before  it  reaches  the  cloud  service. 
This  works  in  cases  such  as  a  company 
using  a  customer  resource  manage¬ 
ment  system  only  from  its  offices,  or  a 
business  where  all  users  either  are  at 
headquarters  or  VPN  into  headquar¬ 
ters  before  connecting  to  the  cloud 
service. 

Several  companies  make  appli¬ 
ances  (virtual  or  physical)  that  proxy 
data  leaving  an  office  on  the  way  to  a 
cloud  service  and  encrypt  or  tokenize 
it  before  sending  it  to  the  cloud.  This 
allows  them  to  use  a  cloud  service 


without  worrying  about  data  loss— 
as  long  as  they  only  intend  to  access 
the  cloud  service  from  behind  that 
appliance. 

Apps  aren’t  secure. 

Application  security  has  been 
getting  attention  for  years. 
In  my  mind,  its  importance 
increases  when  an  application 
is  deployed  to  a  cloud  environment,  as 
the  application  is  more  exposed. 

One  of  the  biggest  mistakes  an 
organization  can  make  is  to  take  an 
existing  application  and  simply  deploy 
it  to  a  cloud  without  first  considering 
what  new  attack  vectors  this  move 
opens  up. 

When  possible,  an  application 
should  be  re- architected  for  cloud 
deployment— this  allows  parts  of  the 
application  to  scale  independently, 
and  to  be  more  distributed  and  resil¬ 
ient.  It’s  really  an  opportunity  to  make 
an  application  more  secure  than  ever. 
Forcing  a  development  team  to  not  use 
the  corporate  firewall  as  a  crutch  will 
result  in  a  solid  application. 

Application  security  can  be  a  com¬ 
plicated  topic,  but  here  are  my  crib 
notes:  Never  trust  user  input,  and 
always  encode  output  back  to  the  user. 
Getting  those  two  things  right  will 
remove  about  80  percent  of  application 
security  issues. 

After  input  and  output  are  taken 
care  of,  next  up  is  proper  authentica¬ 
tion  and  authorization.  These  should 
be  checked  on  every  page  or  service 
request,  not  just  at  initial  login.  Ideally, 
any  administrative  functions  are  run 
through  a  separate  application,  so  if 
a  malicious  user  does  compromise  an 
account,  the  most  he  can  get  is  a  single 
user’s  data,  not  admin  access. 

The  last  big  thing  to  consider  is 
data  encryption:  For  performance 
reasons,  most  organizations  don’t 
want  to  encrypt  all  data,  so  the  trick 
is  to  find  the  balance  of  encrypting 
enough  sensitive  information  so  that 
if  you  get  compromised,  data  cannot 


be  pieced  together  to  provide  useful 
identification. 

Crib  notes,  though,  are  for  barely 
passing,  and  we  want  to  implement 
solid  cloud  security,  not  just  meet  min¬ 
imum  certification  levels,  so  go  read 
more  at  the  Open  Web  Security  Appli¬ 
cation  Project  website:  http://owasp.org. 

Authentication  and 
authorization  must  be 
more  robust. 

Of  all  the  problems  covered  in 
this  article,  cloud  authentica¬ 
tion  and  authorization  has  the  great¬ 
est  number  of  commercial  solutions 
available.  This  does  not  mean  the  issue 
is  easily  solved,  however.  Every  orga¬ 
nization  has  its  own  way  to  manage 
authentication  and  authorization. 

First,  it  must  determine  if  its  cur¬ 
rent  authentication  system  could  also 
work  in  a  secure  and  reliable  way  for 
users  in  a  cloud  environment.  If  the 
answer  is  yes,  the  follow-up  question 
is  whether  that  is  also  the  best  way  to 
authenticate  cloud  services. 

Also  worth  considering:  Does  every 
cloud  service  the  organization  uses 
need  to  be  authenticated  by  the  same 
system? 

There  is  a  lot  of  policy  that  a  com¬ 
pany  must  define  to  settle  the  cloud 
authentication  and  authorization  issue. 

Policy  aside,  any  authentication 
system  must  be  very  flexible— whether 
it  integrates  with  an  enterprise’s  active 
directory  or  is  standalone,  security 
administrators  must  be  able  to  easily 
add  support  for  new  services,  which 
may  have  different  authentication 
schemes  and  group  memberships. 

It  is  crucial  that  the  authentication 
system  fits  into  the  company’s  afore¬ 
mentioned  visibility  plan.  There’s  no 
reason  not  to  know  very  quickly  of  a 
series  of  failed  authentication  attempts. 

Discussing  how  to  respond  to  those 
failures  will  be  left  for  another  day.  ■ 


John  Kinsella  is  founder  of  security  consul¬ 
tancy  Protected  Industries. 
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Access  control 
isn’t  one  size  fits 
all  either. 
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□  Available  on  the  iPad 

^JApp  Store 

Download  OurApp 
Want  help  finding  the  right 
solution  for  any  opening ?  Scan 
this  Microsoft ®  Tag  with  your 
iPad ®  or  visit  the  App  Store 
to  download  the  Security 
Continuum  App  for  iPad. 


From  patented  key  systems  to  full-featured,  online  integrated  locksets,  ASSA  ABLOY  offers  access 
control  solutions  tailored  to  the  unique  locking  needs  of  each  opening.  With  the  industry’s  largest 
range  of  products,  from  the  most  trusted  brands,  your  security  dollars  reach  farther  into  your  facility. 

Contact  your  ASSA  ABLOY  Integrated  Solutions  Specialist  for  a  consultation  on  your  next  project. 
Visitwww.intelligentopenings.com/SecurityContinuum. 


ADAMS  RITE  |  CORBIN  RUSSWIN  |  HES  |  MEDECO  |  NORTON  |  SARGENT  |  SECURITRON  |  YALE 


ASSA  ABLOY 


[  debriefing] 


Welcome,  Athletes! 


How  many  UK  Olympic  security  measures  can  you  correctly  identify? 


1.  Reaper 

2.  Ocean 

3.  LRad 

4.  Albion 

5.  MI5 

6.  Typhoon 

7.  Yeomen 
Warders 


a.  Anti-pirate  sonic  weapon 

b.  Royal  Air  Force  jets 

c.  Royal  Navy  ships  protecting  sailing 
events 

d.  Remote-controlled  surveillance 
drones 

e.  British  navy’s  largest  ship,  parked 
in  the  Thames  as  HQ 

f.  Agency  in  charge  of  screening 
guards  and  volunteers 

g.  Guards  in  funny  uniforms 
(aka  Beefeaters) 
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How’d  You  Do? 


6-7  points  Smashing 
3-5  points  Bob’s  your  uncle 
0-2  points  Codswallop 
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ADVERTORIAL 

Risk  Strategy  Upgrade: 

Making  Compliance  More 
than  a  Check-Off 


Market 

Pulse 


THE  SECURITY  AND  COMPLIANCE  LANDSCAPE  IS  INCREASINGLY 
CHALLENGING,  FROM  THE  BOARDROOM  TO  THE  TRENCHES. 


The  issue  of  risk  management  and  mitigation  doesn't 
differentiate  between  IT  and  operations.  Furthermore,  IT 
security  is  becoming  a  larger  part  of  the  more  operationally 
oriented  issues  of  governance,  risk  and  compliance  (GRC). 

Worse  still,  many  enterprises  tend  to  think  about 
compliance  only  in  terms  of  a  checklist.  And  they  attack 
this  list  reactively  rather  than  proactively,  and  often 
consider  the  effort  a  proxy  for  security.  But  compliance 
doesn't  always  translate  to  a  higher  level  of  security,  nor 
does  it  give  companies  more  insight  into  impending  risk. 

The  Current  Challenges 

Moving  from  reactive  to  proactive  capabilities,  in  search 
of  more  holistic  enterprise  GRC  can  be  daunting— fraught 
with  a  complex  web  of  technological,  operational,  and 
financial  elements.  One  of  the  biggest  challenges,  perhaps, 
is  simply  collaboration. 

To  build  an  enterprise  governance  structure  that 
supports  holistic  risk  management,  each  operational 
group  needs  an  enterprisewide  understanding  of  what 


Companies  achieved  success  through 
a  tightly  integrated  approach  to 
compliance  and  IT  security. 

risk  means— not  a  siloed  perspective  that  reflects  only 
the  needs  of  their  own  department.  This  broader  view 
comes  from  communications  and  collaboration;  and  once 
in  place,  each  group  can  begin  to  look  at  GRC  issues  in  an 
integrated  fashion. 

Some  companies  have  overcome  these  challenges, 
emerging  as  trendsetters  in  their  ability  to  set  forth  an 
integrated  enterprise  GRC  strategy.  According  to  a  recent 
IDG  Research  Services  study,  62  percent  of  respondents 
believe  they  are  highly  successful  at  identifying  security 
risk,  while  half  feel  they  can  effectively  mitigate  security 
risk  (52  percent)  or  quantify  security  risk  (49  percent). 


This  isn't  something  that  happened  over  night. 
Companies  achieved  success  through  a  tightly  integrated 
approach  to  compliance  and  IT  security.  In  fact,  these 
trendsetters  point  to  the  following  milestones: 

»  Higher  levels  of  success  in  mitigating  and  quantifying 
security  risk 

»  Greater  likelihood  of  taking  a  proactive  approach  to 
compliance 

»  Higher  levels  of  visibility  into  supply  chain  partners' 
operations  in  the  areas  of  GRC 

»  Higher  likelihood  of  implementing  a  business  appli¬ 
cation  that  supports  an  integrated,  enterprisewide  GRC 
initiative 

»  Greater  likelihood  of  rating  their  organizations' 
approaches  to  GRC  as  highly  effective  in  all  areas 
measured 

Respondents  understand  the  value  GRC  brings,  and 
more  than  half  (53  percent)  have  plans  to  invest  within 
the  next  12  months.  The  surest  route  to  success  is  the 
one  already  travelled— that  is,  starting  with  the  afore¬ 
mentioned  capabilities.  Of  course,  to  follow  the  success 
of  the  trendsetters,  companies  must  first  look  at  GRC  in  a 
new  light.  They  must  change  their  culture,  moving  away 
from  compliance-centric  thinking  to  risk  management  and 
mitigation.  They  must  think  of  GRC  less  as  a  one-time  to-do 
list,  and  more  as  an  integrated  enterprisewide  strategy 
that  will  not  only  make  operations  more  secure,  but  give 
them  more  actionable  insight  as  well. 

For  the  full  results  of  the  IDG  Research  Services 
survey,  please  visit: 

www.csoonline.com/whitepapers/saic 
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BUILT  FOR  ,|l.ll . 
THE  HUMAN  * ******* * 
NETWORK  CISCO. 


ONE  OF  THE  MOST  PROFOUND 
SHIFTS  IN  YOUR  BUSINESS  . 

IN  DECADES  HAS  ARRIVED.  ,;M 

AND  IT  LOOKS  LIKE  THIS.  ||« 

At  first  glance,  she’s  an  employee  working  on  a  tablet.  But  she  also  represents 
a  growing  number  of  people  who  are  working  their  way— on  their  favorite 
devices.  It’s  good  news  for  companies,  considering  the  significant  savings  and 
productivity  gains  associated  with  this  new  way  of  working.  And  it’s  great  for  your 
team  members,  who  can  collaborate  better  than  ever,  from  anywhere— accessing 
virtual  desktops  on  their  laptops  or  meeting  face-to-face  via  Cisco  Jabberwon 
their  tablets.  Now,  collaboration  is  enhanced.  Employees  are  untethered. 

Security  is  built  in.  And  at  the  center  of  it  all  is  the  Cisco®  Intelligent  Network. 

Use  your  favorite  device  to  learn  more  at  cisco.com/go/yourway. 


